Technology

Recurring Supply‑Chain Lapses Expose UEFI Firmware to Pre‑OS Threats

A disturbing pattern of security failures in the firmware supply chain continues to expose millions of devices to pre-OS threats, potentially undermining the foundation of computer security. Between 2022 and 2025, a series of critical security incidents involving leaked cryptographic keys and mismanagement of signing certificates has created an environment where attackers can potentially bypass […] The post Recurring Supply‑Chain Lapses Expose UEFI Firmware to Pre‑OS Threats appeared first on Cyber Security News.

May 13, 2025 - 12:06
 0
Recurring Supply‑Chain Lapses Expose UEFI Firmware to Pre‑OS Threats

A disturbing pattern of security failures in the firmware supply chain continues to expose millions of devices to pre-OS threats, potentially undermining the foundation of computer security.

Between 2022 and 2025, a series of critical security incidents involving leaked cryptographic keys and mismanagement of signing certificates has created an environment where attackers can potentially bypass UEFI Secure Boot and other firmware protection mechanisms, gaining control of systems before the operating system even loads.

These recurring lapses include expired certificates in Intel’s Platform Properties Assessment Module (PPAM), major data breaches exposing Boot Guard private keys from Lenovo, Supermicro, MSI, and most recently Clevo, and the widespread deployment of test keys in production environments.

The consequences are particularly severe because firmware-level compromises can survive operating system reinstallations and remain undetected by conventional security tools, creating perfect persistence mechanisms for sophisticated threat actors.

Binarly researchers identified that these supply chain issues are not isolated incidents but represent systemic failures in cryptographic key management across the UEFI ecosystem.

Their analysis revealed that despite some improvements following public disclosures, vulnerable firmware continues to ship in new devices, with some manufacturers still using compromised keys years after their exposure.

The interconnected nature of the firmware supply chain amplifies these security risks. When one vendor’s keys are compromised, the impact frequently extends beyond their own products to affect devices from multiple manufacturers.

This cross-contamination effect was particularly evident in the aftermath of the MSI breach in 2023, where leaked keys affected devices from multiple brands.

The PKfail Epidemic: Test Keys in Production Environments

Perhaps the most widespread of these issues was the “PKfail” vulnerability discovered in 2024, which affected approximately 10% of all firmware images analyzed by Binarly.

The vulnerability stemmed from the inclusion of test Platform Keys (PKs) in production firmware, including keys clearly labeled with warnings such as “DO NOT TRUST – AMI Test PK.”

The severity of this issue is highlighted by an excerpt from one such certificate found in production firmware:- 

Version 3 (0x2)
Serial Number:
    55:fb:ef:87:81:23:00:84:47:17:0b:b3:cd:87:3a:f4
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=DO NOT TRUST - AMI Test PK
Validity
    Not Before: Nov 8 23:32:53 2017 GMT
    Not After : Nov 8 23:32:52 2021 GMT
The untrusted AMI test Platform Key (Source – Binarly)

The problem extended beyond AMI-based devices, with similar test keys discovered across multiple manufacturers’ products.

Binarly’s analysis of firmware images across different years revealed a troubling trend: the percentage of affected devices was steadily increasing until their public disclosure in July 2024, after which it experienced a sharp decline.

Percentage of devices affected by PKfail over time (Source – Binarly)

While the ecosystem has made progress addressing these issues-with no PKfail-affected devices detected in 2025 so far-other serious vulnerabilities continue to emerge.

Most recently, Binarly researchers discovered a memory corruption vulnerability in a Microsoft-signed UEFI module (CVE-2025-3052), demonstrating that the ecosystem remains vulnerable to Bring Your Own Vulnerable Driver (BYOVD) attacks even at the firmware level.

The vulnerability behind CVE-2025-3052 (Source – Binarly)

The combination of these recurring supply chain lapses creates a perfect storm for security: compromised keys allow attackers to sign malicious firmware that appears legitimate, while memory corruption vulnerabilities provide pathways to execute code that can disable protection mechanisms like Secure Boot.

As demonstrated in Binarly’s proof of concept, an attacker exploiting these vulnerabilities can install persistent bootkits that survive operating system reinstallation and gain privileged access to the system.

How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers

The post Recurring Supply‑Chain Lapses Expose UEFI Firmware to Pre‑OS Threats appeared first on Cyber Security News.

Read More

Tags:

Previous Article

Top 5 Takeaways from RSAC 2025: INE Security Alert

Next Article

F5 BIG-IP Command Injection Vulnerability Let Attackers Execute Arbitrary System...

Related Posts

iPadOS 18.5 Release Notes

iPadOS 18.5 Release Notes

May 12, 2025  0

Apple introduces iPad Air with powerful M3 chip and new Magic Keyboard

Apple introduces iPad Air with powerful M3 chip and new...

May 13, 2025  0

No, this is not the PS5 gaming console, but rather a mini PC that supports a 120W GeForce RTX 5060 GPU

No, this is not the PS5 gaming console, but rather a mi...

May 4, 2025  0