Back

Security Advisory — Secure Boot Bypass via Signed UEFI Applications

VU#457458
Jun 19, 2026

GIGABYTE Technology Co., Ltd. acknowledges a security vulnerability (Case VU#457458) involving certain UEFI applications that were digitally signed by GIGABYTE. We are committed to providing secure and reliable products and have taken immediate action to mitigate this risk.

Vulnerability Details
Case Identifier: VU#457458
Vulnerability Type: Secure Boot Bypass / "Bring Your Own Vulnerable Driver" (BYOVD)
Root Cause: Certain signed UEFI Shell binaries provided in GIGABYTE's utility packages (e.g., BIOS_flash_tool.zip) inadvertently expose sensitive functionalities, including mm, setvar, and dmpstore. These commands allow unauthorized modification of UEFI variables and system memory, which can be leveraged to circumvent UEFI Secure Boot policies.

Attack Scenario
This is a "Bring Your Own Vulnerable Driver" (BYOVD) style attack. The exploitation of this vulnerability requires the attacker to have physical access to the target system and the ability to boot the system from an external device (e.g., USB drive). If the attacker can successfully launch the vulnerable signed UEFI Shell in the pre-boot environment, they can leverage the GIGABYTE-trusted certificate to bypass Secure Boot and execute arbitrary unverified code before the operating system initializes.

Potential Impact
Successful exploitation can lead to a persistent platform compromise. Attackers may load unsigned or malicious kernel components that survive system reboots and OS reinstallations. Because this occurs before the OS and Endpoint Detection and Response (EDR) solutions initialize, such activities may evade standard security controls.

Affected Products and Software
Affected Component: Signed UEFI Shell binaries (e.g., efiflash.efi) included in GIGABYTE BIOS release packages.
Affected Versions: All BIOS release ZIP files containing the signed UEFI Shell distributed prior to June 12, 2026.

Resolution and Recommended Actions
GIGABYTE has implemented the following measures to neutralize this risk:

  1. Package Optimization: Effective June 12, 2026, all official BIOS release ZIP files have been updated to include only the essential BIOS image. The vulnerable signed UEFI Shell has been removed.
  2. Asset Removal: We are coordinating with WebMasters to remove all legacy signed UEFI Shell binaries from our official download servers.
  3. Advanced Protection: In alignment with industry standards, administrators may consider updating the UEFI Forbidden Signature Database (DBX) to revoke trust in the affected binaries.

Recommended Action:
To mitigate the risk of unauthorized pre-boot execution, users are strongly advised to:

  • Download the latest BIOS release packages from the official GIGABYTE support website and delete any previously downloaded BIOS_flash_tool.zip containing a signed UEFI Shell.
  • Set a BIOS Administrator Password to prevent unauthorized changes to firmware settings.
  • Disable Boot from External Devices (USB/Network Boot) or prioritize the internal hard drive in the boot order to prevent the loading of unauthorized external binaries.

Acknowledgement
We extend our gratitude to CERT/CC and Martin Smolar of ESET for researching and responsibly reporting this vulnerability.

The release schedule and package contents may be adjusted without further notification. Please check the official support page for the latest updates.