SMM Vulnerabilities in Gigabyte UEFI Firmware Expose Systems to Stealthy Attacks

In a warning issued by CERT/CC, multiple high-impact vulnerabilities have been identified in Gigabyte UEFI firmware that allow attackers to execute arbitrary code in System Management Mode (SMM)—a privileged CPU environment below the operating system (Ring -2). These flaws, previously disclosed to American Megatrends International (AMI), have resurfaced in Gigabyte firmware despite earlier patches.

“These vulnerabilities were previously addressed via private disclosures, yet the vulnerable implementations remain in some OEM firmware builds such as in the case of Gigabyte,” warns CERT/CC.

At the heart of the issue lies System Management Mode (SMM), a powerful CPU mode designed to manage low-level operations such as power and thermal control. It operates within System Management RAM (SMRAM)—a protected memory region only accessible via System Management Interrupts (SMIs).

These vulnerabilities exploit SMI handlers, which act as gateways to SMM by processing data passed through communication buffers. Improper validation of this data allows attackers to corrupt SMRAM or inject code—leading to dangerous system-level compromise.

CERT/CC outlines four critical vulnerabilities, all affecting Gigabyte firmware:

• CVE-2025-7029 (BRLY-2025-011): Unchecked use of the RBX register allows attacker control over OcHeader and OcData pointers used in power and thermal configuration logic, resulting in arbitrary SMRAM writes.
• CVE-2025-7028 (BRLY-2025-010): Lack of validation of function pointer structures derived from RBX and RCX allows attacker control over critical flash operations via FuncBlock.
• CVE-2025-7027 (BRLY-2025-009): Double pointer dereference vulnerability involving an unvalidated NVRAM variable enables arbitrary content to be written to SMRAM.
• CVE-2025-7026 (BRLY-2025-008): Attacker-controlled RBX register used as an unchecked pointer within CommandRcx0 function allows writes to attacker-specified memory in SMRAM.

Each of these vulnerabilities enables arbitrary memory writes and potential firmware implants, granting the attacker complete control beneath the OS.

The consequences of these flaws go beyond typical OS-level compromise:

• Ring -2 Privilege Escalation: Attackers can bypass kernel-level protections.
• Firmware Implantation: Exploits can persist across reboots and OS reinstallation.
• Secure Boot/BootGuard Bypass: Attackers can disable UEFI protections, rendering traditional antivirus tools ineffective.
• Pre-Boot Execution: Exploits may trigger in recovery mode, sleep state, or early boot phases—before OS defenses are even active.

“Exploitation can disable UEFI security mechanisms such as Secure Boot and Intel BootGuard, enabling stealthy firmware implants and persistent control over the system,” CERT/CC states.

Gigabyte has released firmware updates to address these vulnerabilities. Affected users should:

• Visit the Gigabyte Support Site to check for model-specific firmware updates.
• Apply updates immediately, especially on systems with exposure to local or remote administrative access.
• Monitor other OEM vendors, as firmware from AMI is commonly reused across multiple manufacturers.

Related Posts:

• Backdoor was found in Gigabyte motherboards
• 4 Dell BIOS Bugs Affect Millions of Inspiron, Vostro, Alienware Devices
• Hacker group LAPSUS has stolen Vodafone source code
• Researcher: Spectre CPU flaws can be used to break into the highly privileged CPU mode on Intel x86 systems
• AMD Extends Security Patch for RYZEN 3000, Addressing Critical SMM Vulnerability

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy