Gigabyte Motherboards Found Vulnerable to Stealth UEFI Malware Attacks Capable of Bypassing Secure Boot
A major firmware security flaw affecting more than 240 Gigabyte motherboard models has been uncovered, allowing attackers to plant undetectable bootkits that can survive system reinstalls and evade Secure Boot protections. The flaws impact systems running Unified Extensible Firmware Interface (UEFI) and have the potential to be exploited for persistent malware deployment.
Discovered by researchers at Binarly and reported through Carnegie Mellon University’s CERT Coordination Center (CERT/CC), the four high-severity vulnerabilities reside in Gigabyte’s implementation of firmware code originally provided by American Megatrends Inc. (AMI). Despite AMI addressing the issues privately with customers under NDA, many original equipment manufacturer (OEM) builds—including Gigabyte’s—remained unpatched.
The issues specifically affect System Management Mode (SMM), an isolated and privileged execution environment that operates below the operating system. Exploiting these vulnerabilities enables attackers with local or remote admin rights to execute arbitrary code with SMM-level privileges. Malware deployed this way can remain invisible to the OS, bypass antivirus tools, and maintain persistence through reboots.
The four vulnerabilities assigned CVEs are:
- CVE-2025-7029 – A flaw in the
OverClockSmiHandlerenabling SMM privilege escalation. - CVE-2025-7028 – An issue in
SmiFlashallowing full read/write access to SMRAM, facilitating malware installation. - CVE-2025-7027 – Enables attackers to escalate privileges and alter firmware via SMRAM.
- CVE-2025-7026 – Permits arbitrary writes to SMRAM, leading to full SMM compromise.
According to Binarly, over 100 distinct Gigabyte product lines are affected. The list includes multiple regional and version-specific motherboard models updated between late 2023 and mid-2024. Other OEMs may also be impacted, though their names remain undisclosed pending patch releases.
While CERT/CC confirmed that Gigabyte acknowledged the flaws on June 12 and subsequently began issuing firmware updates, the company did not initially publish a formal security bulletin. An update posted on July 15 now covers three of the four vulnerabilities reported.
Binarly CEO Alex Matrosov noted that many of the affected Gigabyte products have reached end-of-life, suggesting no updates may ever be issued for those devices.
“It seems that Gigabyte has not released any fixes yet, and many of the affected devices have reached end-of-life status, meaning they will likely remain vulnerable indefinitely,” said Matrosov.
He added that the silent disclosure model by AMI “caused significant effects for years on downstream vendors” who continued shipping unpatched firmware.
The general consumer risk remains low, but the threat is more concerning for enterprise users operating in critical environments, where firmware integrity is essential for system trust. To help address this, Binarly has made its Risk Hunt scanner available for free, which detects the presence of the reported vulnerabilities.
Organizations relying on Gigabyte hardware are advised to monitor firmware update channels closely, verify the presence of security patches, and apply them immediately where available. For end-of-life products, alternative mitigation strategies or hardware replacement should be considered where risk profiles demand.
