AI description
CVE-2025-4275 is a vulnerability in Insyde H2O UEFI firmware that allows attackers to bypass Secure Boot protections. This is achieved by injecting rogue digital certificates into a poorly protected NVRAM variable named SecureFlashCertData. The firmware then mistakenly trusts the attacker's certificate, which allows the execution of malicious UEFI modules. Attackers with administrative OS-level access can write their own certificate to the SecureFlashCertData variable. During the next boot cycle, this injected certificate is used by the firmware to verify and execute unsigned or tampered UEFI code during early boot. This enables attackers to load pre-boot malware, rootkits, or firmware-level persistence mechanisms before the OS and its security tools initialize.
- Description
- A vulnerability in the digital signature verification process does not properly validate variable attributes which allows an attacker to bypass signature verification by creating a non-authenticated NVRAM variable. An attacker may to execute arbitrary signed UEFI code and bypass Secure Boot.
- Source
- 8338d8cb-57f7-4252-abc0-96fd13e98d21
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 7.8
- Impact score
- 6
- Exploitability score
- 1.1
- Vector string
- CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
- Severity
- HIGH
- Hype score
- Not currently trending
Will be presenting my Hydroph0bia (CVE-2025-4275) research at OFFZONE (https://t.co/XYxy97Zwd7) 2025 on Aug 21st. It will be 1 hr long main track talk about UEFI SecureBoot, the hole Insyde left in the H2O platform for a decade, and the things we all can do to prevent such holes.
@NikolajSchlej
23 Jul 2025
1819 Impressions
5 Retweets
32 Likes
9 Bookmarks
0 Replies
0 Quotes
[1day1line] CVE-2025-4275: Secure Boot Bypass via Digital Certificate Injection through InsydeH2O's NVRAM Variable https://t.co/JQGsWLYHNt Hello, this is newp1ayer48. Today's daily line is about the CVE-2025-4275, a Secure Boot bypass vulnerability found in the InsydeH2O UEFI
@hackyboiz
25 Jun 2025
2096 Impressions
6 Retweets
19 Likes
4 Bookmarks
0 Replies
0 Quotes
Hydroph0bia (CVE-2025-4275) - a trivial SecureBoot bypass for UEFI-compatible firmware based on Insyde H2O, part 1 https://t.co/Gctot6x3DQ https://t.co/5Kjg1SFxha
@5mukx
21 Jun 2025
2719 Impressions
17 Retweets
70 Likes
34 Bookmarks
1 Reply
0 Quotes
Published the third part of my blog series about Hydroph0bia (CVE-2025-4275) vulnerability, this one is about the fix as Insyde applied it, and my thoughts on improvements for it. https://t.co/vEIkUNH3Ey
@NikolajSchlej
20 Jun 2025
4827 Impressions
27 Retweets
50 Likes
29 Bookmarks
3 Replies
1 Quote
Top 5 Trending CVEs: 1 - CVE-2025-31200 2 - CVE-2023-50428 3 - CVE-2025-33073 4 - CVE-2025-21420 5 - CVE-2025-4275 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
15 Jun 2025
135 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Preliminary analysis shows that Insyde fixed Hydroph0bia (CVE-2025-4275) by forcefully removing the NVRAM vars that lead to exploitation during SecureFlashDxe driver startup, and setting a restrictive variable policy for them, so such vars can't be set from the OS anymore. https:
@NikolajSchlej
14 Jun 2025
4009 Impressions
12 Retweets
50 Likes
21 Bookmarks
1 Reply
0 Quotes
📢 FIRMWARE GÜVENLİK DUYURUSU – Insyde UEFI Secure Boot Zafiyeti (CVE-2025-4275) Insyde Software’in H2O UEFI firmware’inde keşfedilen kritik bir güvenlik açığı, kötü niyetli aktörlerin sistemin Secure Boot mekanizmasını baypas etmesine olanak tanıyor. Zafiye
@GMDestekMerkezi
13 Jun 2025
71 Impressions
2 Retweets
7 Likes
0 Bookmarks
0 Replies
0 Quotes
#exploit 1. CVE-2025-0282: Stack-based BoF in Ivanti Connect Secure - https://t.co/gg5z4ap4Go 2. CVE-2025-4123: Grafana Path Traversal - https://t.co/0QxWl8iNVO 3. CVE-2025-4275: SecureBoot bypass for UEFI-compatible firmware based on Insyde H2O - https://t.co/l6ppF6bgYS
@ksg93rd
11 Jun 2025
276 Impressions
0 Retweets
3 Likes
1 Bookmark
0 Replies
0 Quotes
Hydroph0bia (CVE-2025-4275) PoC - DXE volume takeover on HUAWEI MateBook 14 2023, flashing a patched BIOS with custom boot logo. No user interaction outside of the OS required, SecureBoot and firmware password remain enabled. https://t.co/DYLj3oCb9O, https://t.co/nkk0WkIzFt h
@NikolajSchlej
11 Jun 2025
4562 Impressions
15 Retweets
54 Likes
19 Bookmarks
0 Replies
1 Quote
Lenovo estimates their fixes to Hidroph0bia (CVE-2025-4275) to be available no earlier than 2025-07-30 for all affected models that aren't EOL: https://t.co/hk0HlRgKVR
@NikolajSchlej
11 Jun 2025
360 Impressions
1 Retweet
10 Likes
1 Bookmark
0 Replies
0 Quotes
CVE-2025-4275 Running the provided utility changes the certificate on any Insyde BIOS and then the attached .efi file can be launched. https://t.co/4AmbcsgPPa
@CVEnew
11 Jun 2025
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
How to check if your FW is vulnerable to Hydroph0bia (CVE-2025-4275): obtain a BIOS dump or a BIOS update for your PC, open it in UEFITool NE, open Search window on Text tab (Ctrl+F), search for Unicode text "SecureFlashCertData". If nothing had been found, our FW is fine.
@NikolajSchlej
10 Jun 2025
1890 Impressions
12 Retweets
27 Likes
13 Bookmarks
1 Reply
0 Quotes
The embargo (12:00 UTC 2025-06-10) is over, let's start a thread on Hydroph0bia (CVE-2025-4275), a trivial SecureBoot and FW updater signature bypass in almost any Insyde H2O-based UEFI firmware used since 2012 and still in use today. English writeup: https://t.co/DYLj3oBDkg
@NikolajSchlej
10 Jun 2025
12144 Impressions
75 Retweets
156 Likes
60 Bookmarks
2 Replies
2 Quotes