Updates urged after disclosure of Windows Secure Boot vulnerability

The June edition of Microsoft’s Patch Tuesday release became even more of a priority for administrators thanks to the disclosure of a potential rootkit vulnerability on the Windows Secure Boot system.

Researchers with security vendor Binarly said that the vulnerability they discovered and securely reported to Microsoft would potentially allow an attacker to bypass the UEFI checks that prevent the use of unauthorized firmware on Windows systems.

Designated CVE-2025-3052, the flaw is based on a memory corruption error in the UEFI certificate Microsoft uses to validate an operating system build before it can be loaded. The flaw was among those addressed earlier this week in the Patch Tuesday update.

“Attackers can exploit this vulnerability to run unsigned code during the boot process, effectively bypassing Secure Boot and compromising the system’s chain of trust,” the Binarly research team explained in their disclosure.

“Because the attacker’s code executes before the operating system even loads, it opens the door for attackers to install bootkits and undermine OS-level security defenses."

The researchers found that a non-malicious BIOS flashing tool that has been circulating since at least 2024, and possibly 2022, was able to execute under the Microsoft Corporation UEFI CA 2011" certificate.

A deeper dig into the tool found that it was taking advantage of a memory buffer error, the attacker can write code to change the value of a key variable that allows for secure boot to be disabled.

The result is the ability for the attacker to bypass authentication and potentially run malware within a rootkit. By running as such a low level on the system, attackers can not only evade detection by security tools, but can also maintain persistence after updates and reinstalls.

If there is one saving grace in all of this, it is that the vulnerability cannot be remotely targeted without authentication. In order to be able to write code to the vulnerable portions of memory the attacker needs to have system level access, meaning they would have to have already compromised the target machine via other methods.

In disclosing the flaw, the Binarly team also noted that such rootkit flaws are becoming an increasingly common occurrence.

“Secure Boot bypasses continue to be a persistent issue within the UEFI ecosystem, with new vulnerabilities surfacing a few times each year,” the researchers noted.

The disclosure also underscores the need for administrators and PC owners to not just brush aside Microsoft’s update reminders. It is always recommended that the monthly updates be tested and deployed as soon as possible, even more so with the June updates. Security professionals will often refer to the day after Patch Tuesday as “Exploit Wednesday” because the disclosure of vulnerability details makes the process of writing new exploits and malware installation scripts all but trivial for threat actors.