CVE-2025-2296
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-09
Assigner: TianoCore.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| edk2 | edk2 | 4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability in EDK2 BIOS involves improper input validation that can be exploited by an attacker with local access. Exploiting this flaw may allow the attacker to alter the control flow of the BIOS in unexpected ways, potentially enabling arbitrary command execution.
How can this vulnerability impact me? :
Successful exploitation of this vulnerability could impact the confidentiality, integrity, and availability of the affected system by allowing arbitrary command execution at the BIOS level.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves verifying if the system is running a vulnerable version of the EDK2 firmware, specifically versions up to 202502, and if Secure Boot is enabled but bypassed due to fallback to the legacy loader in direct boot mode. There are no specific commands provided to detect this vulnerability directly. However, checking the firmware version and Secure Boot status can help identify exposure. For example, on Linux systems, you can check Secure Boot status with 'mokutil --sb-state' and inspect firmware versions via system firmware tools or vendor utilities. Additionally, reviewing boot logs for fallback loader usage might indicate exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the EDK2 firmware to version 202505 or later, where the patch addressing this fallback behavior has been applied. Ensuring Secure Boot is properly configured and that the allowed database (DB) contains the correct signatures can also help prevent fallback to the legacy loader. Disabling direct boot mode, if possible, may reduce exposure until the patch is applied. [1]