Vulnerabilities affecting multiple Gigabyte firmware implementations could allow attackers to disable UEFI security mechanisms and take control of the impacted systems, security researchers have discovered.
The issues were discovered in the System Management Mode (SMM), a highly privileged CPU mode that handles low-level system operations, allowing UEFI to interact directly with the hardware.
SMM operations run within protected memory and are only accessible through System Management Interrupt (SMI) handlers that rely on specific buffers to process data.
Improper validation of these buffers, however, could allow attackers to execute arbitrary code before the operating system loads, and UEFI modules present in Gigabyte firmware expose systems to such attacks, Carnegie Mellon University’s CERT Coordination Center (CERT/CC) warns.
“An attacker could exploit one or more of these vulnerabilities to elevate privileges and execute arbitrary code in the SMM environment of a UEFI-supported processor,” CERT/CC notes.
The issues were initially discovered in AMI firmware, and the vendor previously addressed them via private disclosures. Now, however, they were found again in Gigabyte firmware, with tens of products reportedly affected.
Tracked as CVE-2025-7026, CVE-2025-7027, CVE-2025-7028, and CVE-2025-7029, the bugs allow writing to attacker-specified memory, writing arbitrary content to System Management RAM (SMRAM), and controlling critical flash operations.
“An attacker with local or remote administrative privileges may exploit these vulnerabilities to execute arbitrary code in System Management Mode (Ring -2), bypassing OS-level protections,” CERT/CC notes.
Successful exploitation of the flaws could allow attackers to disable UEFI security mechanisms, including Secure Boot, and deploy firmware backdoors or implants, obtaining persistent control over the system. Such implants would not be detected by traditional endpoint protection tools, as the SMM operates below the OS.
The security defects were identified and reported by Binarly, which warns that such implants could persist when the operating system is reinstalled. The vulnerabilities could also be used to bypass some types of memory isolation for hypervisors, the security firm notes.
Gigabyte, Binarly says, acknowledged the flaws a month ago. According to CERT/CC, Gigabyte has released firmware updates to resolve the issues, and users should monitor the vendor’s security website for update instructions.
Related: Critical OpenWrt Flaw Exposes Firmware Update Server to Exploitation
Related: Intel Warns of 20+ Vulnerabilities, Advises Firmware Updates
Related: Google Warns of Pixel Firmware Zero-Day Under Limited, Targeted Exploitation
