Gigabyte Motherboards Vulnerable to UEFI Malware
Multiple Gigabyte motherboard models are shipping with vulnerable UEFI firmware, exposing users to stealthy bootkit malware that operates below the operating system and is invisible to traditional security tools.
The flaws allow attackers with local or remote administrative privileges to execute arbitrary code in System Management Mode (SMM)—a highly privileged execution mode isolated from the operating system.
The vulnerabilities were discovered by researchers at Binarly, who identified four critical issues in Gigabyte's firmware and reported them to CERT/CC. The root cause lies in code provided by American Megatrends Inc. (AMI), a major BIOS supplier. While AMI quietly issued fixes to its customers under NDA, some OEMs—including Gigabyte—have not implemented the patches.
Each of the four vulnerabilities carries a CVSS score of 8.2 and enables various forms of SMM-based privilege escalation and persistence:
- CVE-2025-7029 – A flaw in the
OverClockSmiHandlerallows attackers to escalate privileges into SMM. - CVE-2025-7028 – A vulnerability in the
SmiFlashhandler grants read/write access to SMRAM, potentially enabling malware implants. - CVE-2025-7027 – An SMM escalation issue that allows attackers to modify firmware by injecting arbitrary data into SMRAM.
- CVE-2025-7026 – Permits writing to SMRAM, leading to persistent malware infections at the firmware level.
According to BleepingComputer, the issues affect more than 240 Gigabyte motherboard models, spanning various revisions, regional versions, and firmware builds released between late 2023 and August 2024.
Binarly warns that hundreds of product lines may be at risk—and Gigabyte is not alone. Devices from other manufacturers may also be vulnerable, though their names have not been disclosed.
CERT/CC confirms that Gigabyte was privately notified on April 15, and the company acknowledged the vulnerabilities on June 12. Although Gigabyte reportedly pushed updates, no public security advisory has been released to date.
In a statement to the press, Alex Matrosov, founder and CEO of Binarly, cast doubt on whether the vulnerabilities were ever properly addressed:
“Since all four vulnerabilities stem from AMI’s reference code, they were only disclosed to paying customers under NDA,” Matrosov explained. “That left many OEMs in the dark for years, and the flaws remained unpatched. It appears Gigabyte never released fixes—and for devices that have reached end-of-life, updates may never come.”
