CVE-2025-3052: 
vulnerability analysis and mitigation

An arbitrary write vulnerability (CVE-2025-3052) was discovered in Microsoft signed UEFI firmware applications (DTBios and BiosFlashShell) from DTResearch. The vulnerability was disclosed on June 10, 2025, affecting systems that trust the Microsoft Corporation UEFI CA 2011 certificate. The vulnerability allows attackers to bypass UEFI Secure Boot through manipulation of NVRAM variables (BINARLY Advisory, CERT VU).

The vulnerability exists in a UEFI application that improperly handles the NVRAM variable 'IhisiParamBuffer' (GUID: 92E59835-5F42-4E0B-9A84-47C7810EA806). When exploited, it allows an attacker to perform arbitrary memory writes, including modification of the global Security2 Architectural Protocol (gSecurity2) used for Secure Boot verification. The vulnerability has a CVSS v3.1 score of 8.2 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (BINARLY Advisory).

The vulnerability enables attackers to bypass Secure Boot and execute untrusted code during the boot process. This allows the deployment of malicious UEFI bootkits before operating system initialization, potentially compromising system integrity, gaining elevated privileges, and evading detection by traditional security mechanisms. The impact is particularly severe as the attack occurs before OS-level security tools initialize (BINARLY Advisory).

To remediate this vulnerability, the execution of affected UEFI applications must be prevented by adding their Authenticode hashes to the dbx (Forbidden Signature Database). Microsoft is releasing an updated DBX file to prevent vulnerable components from executing under Secure Boot. System administrators should apply vendor-provided software updates and ensure their systems have the latest DBX updates. For Linux users, updates are available through the Linux Vendor Firmware Service (LVFS) (CERT VU).

Multiple vendors have responded to this vulnerability. DT Research acknowledged the issue and agreed to revoke all Microsoft-signed binaries. GIGABYTE released a new BIOS version addressing the issue. Red Hat, while not directly shipping the affected applications, advised administrators to deploy updated DBX on UEFI systems. AMI announced they would execute their standard DBX integration workflow once updates become available (CERT VU).