Research and coordinated disclosures show a UEFI implementation bug in some motherboards that can pretend DMA protections are active while failing to initialize the IOMMU, leaving systems vulnerable to pre-boot DMA attacks from a malicious PCIe/Thunderbolt device. Vendors (ASUS, Gigabyte, MSI, ASRock) have published advisories and firmware updates, users should check their vendor pages and apply updates after backing up data.
Why it matters: firmware and early-boot initialization are the last line of defense before the OS runs. If an attacker with physical access can attach a DMA-capable device before OS boot, that device may read/modify RAM with no OS-level alerts, enabling undetectable persistence, early rootkits, or other compromise scenarios (Riot Games researchers originally discovered the issue while debugging anti-cheat impacts).
Key technical takeaways:
• The flaw manifests when UEFI reports DMA/IOMMU protections as enabled even though the IOMMU hasn’t been properly configured during early handoff — creating a false sense of security.
• Multiple CVEs were assigned because vendor implementations differ (CVE-2025-11901, CVE-2025-14302, CVE-2025-14303, CVE-2025-14304).
• Exploitation requires physical access and a malicious DMA-capable peripheral connected before the OS takes control, there are no runtime OS alerts for pre-boot memory tampering.
• The immediate, observable impact included anti-cheat failures (games like Valorant blocked on affected machines until fixes), but the risk extends to any scenario where early-boot integrity matters (secure enclaves, endpoint protections, forensic reliability).
Practical implications for teams and admins:
• Treat firmware as high-priority patching: check vendor advisories (ASUS/Gigabyte/MSI/ASRock) and apply firmware updates after planned backups and change-control windows.
• Reduce physical attack surface: lock server rooms, limit who can access workstations, and consider port-level controls (disable unused PCIe/Thunderbolt ports where possible).
• Harden supply chain and field operations: inventory where machines might be physically exposed (labs, warehouses, game cafés, trade show kiosks) and add pre-boot integrity checks to critical systems.
• Add firmware integrity and early-boot tests to red-team/blue-team playbooks: simulate pre-boot device insertion and validate that IOMMU and other protections actually initialize.
• Log and monitor firmware/boot updates centrally so you can correlate firmware state with any anomalous device behavior.
New UEFI flaw enables pre-boot attacks on motherboards from Gigabyte, MSI, ASUS, ASRock
The UEFI firmware implementation in some motherboards from ASUS, Gigabyte, MSI, and ASRock is vulnerable to direct memory access (DMA) attacks that can bypass early-boot memory protections.
bleepingcomputer.com
Top comments (0)