Critical Secure Boot Flaw Exposes PCs To Bootkit Malware Attacks, Patch ASAP
At the center of the problem is a UEFI module for BIOS flashing that was apparently first intended for rugged devices from DT Research. That module is signed with Microsoft’s widely trusted third-party UEFI CA 2011 certificate. Because that certificate is broadly accepted across most modern systems—it’s the same one used to sign Linux’s shim bootloader—any vulnerable module signed under it could run on countless machines.
The specific vulnerability stems from sloppy handling of UEFI NVRAM variables. Specifically, the module reads a variable called "IhisiParamBuffer" and uses its contents directly as a memory pointer without any checking or validation. That gives attackers a powerful memory write primitive they can exploit to disable Secure Boot protections entirely, opening the door for stealthy bootkits that operate below the OS, potentially invisible to antivirus or EDR tools.
Even worse, Binarly's analysis found that the issue wasn’t isolated to just this one module; Microsoft identified at least 14 affected binaries during coordinated disclosure. The mitigation landed as part of Microsoft’s June 2025 Patch Tuesday, which updated the Secure Boot revocation list (dbx) with new hashes to block these vulnerable modules.
For regular users: patching the dbx is the critical step here, so make sure you've got your Windows updates done. Without the update, an attacker with admin access could disable Secure Boot without leaving obvious signs, putting systems at risk for persistent malware that would require a full disk wipe and UEFI reset to clean. While exploitation requires some privilege to set things up, the nature of Secure Boot bypasses makes this class of bug especially attractive to advanced threats.
