Researchers have unearthed two publicly available exploits that completely evade protections offered by Secure Boot, the industry-wide mechanism for ensuring devices load only secure operating system images during the boot-up process. Microsoft is taking action to block one exploit and allowing the other one to remain a viable threat.
As part of Tuesday’s monthly security update routine, Microsoft patched CVE-2025-3052, a Secure Boot bypass vulnerability affecting more than 50 device makers. More than a dozen modules that allow devices from these manufacturers to run on Linux allow an attacker with physical access to turn off Secure Boot and, from there, go on to install malware that runs before the operating system loads. Such “evil maid” attacks are precisely the threat Secure Boot is designed to prevent. The vulnerability can also be exploited remotely to make infections stealthier and more powerful if an attacker has already gained administrative control of a machine.
A single point of failure
The underlying cause of the vulnerability is a critical vulnerability in a tool used to flash firmware images on the motherboards of devices sold by DT Research, a manufacturer of rugged mobile devices. It has been available on VirusTotal since last year and was digitally signed in 2022, an indication it has been available through other channels since at least that earlier date.