Dozens of Gigabyte motherboard models run on UEFI firmware vulnerable to security issues that allow planting bootkit malware that is invisible to the operating system and can survive reinstalls.
The vulnerabilities could allow attackers with local or remote admin permissions to execute arbitrary code in System Management Mode (SMM), an environment isolated from the operating system (OS) and with more privileges on the machine.
Mechanisms running code below the OS have low-level hardware access and initiate at boot time. Because of this, malware in these environments can bypass traditional security defenses on the system.
UEFI, or Unified Extensible Firmware Interface, firmware is more secure due to the Secure Boot feature that ensures through cryptographic verifications that a device uses at boot time code that is safe and trusted.
For this reason, UEFI-level malware like bootkits (BlackLotus, CosmicStrand, MosaicAggressor, MoonBounce, LoJax) can deploy malicious code at every boot.
Plenty of motherboards impacted
The four vulnerabilities are in Gigabyte firmware implementations and were discovered by researchers at firmware security company Binarly, who shared their findings with Carnegie Mellon University’s CERT Coordination Center (CERT/CC).
The original firmware supplier is American Megatrends Inc. (AMI), which addressed the issues after a private disclosure but some OEM firmware builds (e.g. Gigabyte's) did not implement the fixes at the time.
In Gigabyte firmware implementations, Binarly found the following vulnerabilities, all with a high-severity score of 8.2:
- CVE-2025-7029: bug in an SMI handler (OverClockSmiHandler) that can lead to SMM privilege escalation
- CVE-2025-7028: bug in an SMI handler (SmiFlash) gives read/write access to the System Management RAM (SMRAM), which can lead to malware installation
- CVE-2025-7027: can lead to SMM privilege escalation and modifying the firmware by writing arbitrary content to SMRAM
- CVE-2025-7026: allows arbitrary writes to SMRAM and can lead to privilege escalation to SMM and persistent firmware compromise
By our count, there are a little more than 240 motherboard models impacted - including revisions, variants, and region-specific editions, with firmware updated between late 2023 and mid-August 2024.
BleepingComputer reached out to Binarly for an official count and a company representative told us that "over a hundred product lines are affected."
Products from other enterprise device vendors are also impacted by the four vulnerabilities but their names remain undisclosed until fixes become available.
Binarly researchers notified Carnegie Mellon CERT/CC about the issues on April 15 and Gigabyte confirmed the vulnerabilities on June 12, followed by the release of firmware updates, according to CERT/CC.
However, the OEM has not published a security bulletin about the security problems that Binarly reported. BleepingComputer has emailed the hardware vendor a request for comment but we are still waiting for their response.
Meanwhile, Binarly founder and CEO Alex Matrosov told BleepingComputer that Gigabyte most likely hasn’t released fixes. With many of the products already having reached end-of-life, users should not expect to receive any security updates.
“Because all these four vulnerabilities originated from AMI reference code, AMI disclosed these vulnerabilities a while ago with their silent disclosure to paid customers only under NDA, and it caused significant effects for years on the downstream vendors when they stayed vulnerable and unpatched” - Alex Matrosov
“It seems that Gigabyte has not released any fixes yet, and many of the affected devices have reached end-of-life status, meaning they will likely remain vulnerable indefinitely.”
While the risk for general consumers is admittedly low, those in critical environments can assess the specific risk with Binarly’s Risk Hunt scanner tool, which includes free detection for the four vulnerabilities.
Computers from various OEMs using Gigabyte motherboards may be vulnerable, so users are advised to monitor for firmware updates and apply them promptly.
UPDATE [July 14th, 13:23 EST]: Article updated with comment from Binarly saying that the four vulnerabilities affect more than 100 motherboards, and that products from other vendors are impacted.
Update [July 15th, 02:15 EST]: Gigabyte published a security bulletin after we published this article, covering three of the four vulnerabilities Binarly discovered.
Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Comments
deltasierra - 5 months ago
"However, the OEM has not published a security bulletin about the security problems that Binarly reported. BleepingComputer has emailed the hardware vendor a request for comment but we are still waiting for their response."
The OEM (Gigabyte) didn't publish this security bulletin?:
https://www.gigabyte.com/Support/Security/2302
Gigabyte said: "GIGA-BYTE Technology Co., Ltd. has identified multiple memory corruption vulnerabilities within the System Management Mode (SMM) modules used in several legacy GIGABYTE/AORUS consumer motherboards. These vulnerabilities exist only on older Intel platforms where the affected SMM modules are implemented. Newer platforms are not impacted."
For those concerned, check out their bulletin as it lists which Intel chipsets are affected and which ones have BIOS updates vs. which ones are hard EOL, e.g. Intel Z590 boards had updates released in June while Z370 is EOL.
NoneRain - 5 months ago
Interesting, @deltasierra.
Using this mobo as an example:
https://www.gigabyte.com/Motherboard/Z590-GAMING-X-rev-1x/support
Assuming their BIOS upd released in Jun 10th is about these vuls, they didn't report the fix til Binarly made their public disclosure.
- Gigabyte report: 10/Jul
- Binarly public disclosure: 10/Jul (based on their own timeline)
The strange part is that Gigabyte’s report does not mention Binarly, claiming they identified the issues themselves, and according to Binarly's timeline, Gigabyte confirmed the issue on June 12th — two days after releasing the BIOS update.
Their report does not include CVE-2025-7028, tho.
deltasierra - 5 months ago
That is strange @NoneRain. They mentioned Eclypsium in a previous security-invoked BIOS update on that same mobo a few years back. As for the bulletin coming one month later, that must be Gigabyte's internal policy to disclose specific vulnerabilities 30 days / 1 month after patches become available. Some do it like that and others are same-day like MS Patch Tuesday.
I also noticed that CVE was missed... not sure what that's about, lol.
Bill_Toulas - 5 months ago
Thanks for sharing. Just to explain, Gigabyte published this bulletin after we published the article (nevermind the claimed dates, it wasn't there when we wrote the post). I have added an update to include it now. Thanks
deltasierra - 5 months ago
Thank you for clarifying @Bill_Toulas. I've seen plenty of times where an online article has a certain date but such information wasn't actually published online until a later date.