Critical Secure Boot Bypass (CVE-2025-3052) Exposes Millions of Modern PCs, PoC Video Released
Do Son 
Nearly all modern computers with Secure Boot enabled have been exposed to critical risk due to a vulnerability cataloged as CVE-2025-3052. This flaw permits the complete deactivation of boot-time protections, enabling the injection of malicious code even before the operating system begins to load. The discovery is credited to researcher Alex Matrosov of Binarly, who uncovered the issue during an analysis of a Microsoft-signed BIOS utility designed to update firmware on secured tablets.
At the heart of the risk lies the Microsoft UEFI CA 2011 signing certificate—a trusted root authority across virtually all UEFI-based systems with Secure Boot. Though the utility was intended for specific hardware, its signature grants it the privilege to execute on any modern device, effectively opening the door for sophisticated pre-boot attacks.
The research revealed that this vulnerable component has been circulating in the wild since at least late 2022. One sample was uploaded to VirusTotal in 2024, where it was later identified by Binarly experts. The initial disclosure was submitted to CERT/CC on February 26, 2025, and Microsoft issued a fix as part of its June security updates on June 11.
However, the scope of the threat proved to be far broader than originally anticipated. Instead of a single module, fourteen separate components were ultimately found to be vulnerable. All have now been added to the Secure Boot certificate revocation list (dbx), which was updated concurrently with Microsoft’s regular Patch Tuesday rollout.
The essence of the vulnerability lies in how the BIOS utility interacts with the IhisiParamBuffer variable stored in non-volatile memory (NVRAM). A lack of validation for this variable allows an attacker with administrative privileges to tamper with the UEFI’s behavior long before the OS or even its kernel loads. Binarly successfully developed a proof-of-concept exploit that nullifies the gSecurity2 variable—a structure linked to the Security2 protocol, which governs the Secure Boot mechanism.
Once Secure Boot is disabled, the system can load any unsigned UEFI modules, including malware-laden bootloaders known as bootkits. These operate below the visibility threshold of both antivirus tools and the operating system itself, granting attackers unrestricted control over the device and the ability to neutralize other protective measures.
To mitigate the threat, Microsoft has distributed an updated dbx file, which should be promptly deployed across all vulnerable systems—ranging from personal desktops to enterprise servers utilizing UEFI and trusting the Microsoft UEFI CA 2011 certificate.
Binarly has also released a video demonstration showcasing their PoC exploit disabling Secure Boot and injecting a custom message that appears before the OS even begins to boot.
Notably, on the same day, another Secure Boot vulnerability surfaced—dubbed Hydroph0bia and tracked as CVE-2025-4275. It was uncovered by Nikolai Schlei in firmware based on Insyde H2O. This flaw similarly allowed attackers to bypass Secure Boot and was patched 90 days after disclosure to the vendor.
Donate