Security researchers have disclosed a new Secure Boot bypass tracked as CVE-2025-3052 that can be used to turn off security on PCs and servers and install bootkit malware.

The flaw affects nearly every system that trusts Microsoft’s “UEFI CA 2011” certificate, which is pretty much all hardware that supports Secure Boot.

Binarly researcher Alex Matrosov discovered the CVE-2025-3052 flaw after finding a BIOS-flashing utility signed with Microsoft’s UEFI signing certificate.

The utility was originally designed for rugged tablets but as it was signed with Microsoft’s UEFI certificate, it can run on any Secure Boot-enabled system.

Further investigations discovered that the vulnerable module had been circulating in the wild since at least late 2022 and later uploaded to VirusTotal in 2024, where Binarly spotted it.

Binarly disclosed the flaw to CERT/CC on February 26, 2025, with CVE-2025-3052 being mitigated today as part of the Microsoft June 2025 Patch Tuesday.

However, during this process, Microsoft determined that the flaw impacted 13 other modules, which were added to the revocation database.

“During the triage process, Microsoft determined that the issue did not aect just a single module as initially believed, but actually 14 dierent modules,” explains Binarly.

“For this reason, the updated dbx released during the Patch Tuesday on June 10, 2025 contains 14 new hashes.”

The Secure Boot bypass

The flaw is caused by a legitimate BIOS update utility signed with Microsoft’s UEFI CA 2011 certificate, which is trusted on most modern systems utilizing UEFI firmware.

This utility reads a user-writable NVRAM variable (IhisiParamBuffer) without validating it. If an attacker has admin rights to an operating system, they can modify this variable so arbitrary data is written to memory locations during the UEFI boot process. This is done before the operating system, or even the kernel, is loaded.

Using this vulnerability, Binarly created a proof-of-concept exploit to zero out the ‘gSecurity2’ global variable, which is used to enforce Secure Boot.

“For our proof of concept (PoC), we chose to overwrite the global variable gSecurity2,” explains the Binarly report.

“This variable holds a pointer to the Security2 Architectural Protocol, which the LoadImage function uses to enforce Secure Boot. By setting it to zero, we eectively disable Secure Boot, allowing the execution of any unsigned UEFI modules.”

Once disabled, attackers can install bootkit malware that can hide from the operating system and turn off further security features.

To fix CVE-2025-3052, Microsoft has added the affected module hashes to the Secure Boot dbx revocation list. Binarly and Microsoft urge users to install the updated dbx file immediately through today’s security updates to protect their devices.

Also today, another Secure Boot bypass affecting UEFI-compatible firmware based on Insyde H2O was disclosed by Nikolaj Schlej. The flaw, dubbed Hydroph0bia and tracked as CVE-2025-4275, was reported to Insyde and patched 90 days after disclosure.

Binarly has shared a video demonstrating how their PoC can disable Secure Boot and cause a message to display before the operating system boots.