CVE-2025-3052
BaseFortify
Publication date: 2025-06-10
Last updated on: 2025-06-12
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-3052 is an arbitrary write vulnerability in Microsoft signed UEFI firmware modules, specifically affecting DTResearch's Dtbios and BiosFlashShell applications. The flaw arises from improper handling of a runtime NVRAM variable named IhisiParamBuffer, which acts as a pointer allowing attacker-controlled arbitrary memory writes. By manipulating this variable, an attacker with privileged OS access can overwrite critical firmware structures, including the global Security2 Architectural Protocol pointer responsible for Secure Boot verification. This enables bypassing Secure Boot, allowing execution of unsigned or malicious UEFI code during early boot, potentially leading to full system compromise and persistence of malware. [2, 3]
How can this vulnerability impact me? :
Exploiting this vulnerability allows an attacker with write access to the IhisiParamBuffer NVRAM variable to bypass Secure Boot protections by disabling the Security2 Architectural Protocol. This enables execution of unsigned or malicious UEFI binaries early in the boot process, which can lead to installing persistent malware or kernel rootkits that survive OS reinstallations and evade endpoint detection and response (EDR) systems. The attack can compromise system integrity, disable security mechanisms, and result in full system compromise without requiring user interaction or physical access. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking for the presence of the vulnerable UEFI modules (such as Dtbios-efi64-71.22.efi) signed by the Microsoft UEFI CA 2011 certificate and verifying if the NVRAM variable "IhisiParamBuffer" is writable at runtime. For Windows systems, PowerShell scripts like Check-UEFISecureBootVariables can be used to verify Secure Boot variables and DBX updates. On Linux, tools like fwupd and LVFS can be used to inspect and update UEFI firmware and revocation lists. Additionally, inspecting the UEFI boot manager configuration for loading vulnerable modules or unsigned payloads can help detect exploitation attempts. Specific commands include using PowerShell to query Secure Boot variables and fwupd commands to check firmware status. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying vendor-provided patches for affected UEFI modules and updating the Secure Boot Forbidden Signature Database (DBX) to revoke vulnerable binaries. Windows users should update their DBX via OEM or Microsoft updates and verify with PowerShell scripts like Check-UEFISecureBootVariables. Linux users should update DBX using LVFS and fwupd tools. Enterprises should carefully manage DBX updates to avoid boot failures, potentially updating the Signature Database (DB) before DBX as recommended. Blocking execution of vulnerable modules by adding their hashes to the revocation list is critical. Additionally, ensuring that the "IhisiParamBuffer" variable is locked or not writable at runtime can prevent exploitation. [2, 3]