Insyde's Security Pledge

Recent Security Advisories

INSYDE-SA-2025002

Product

CVSS Score

Original Date

Last Revised

InsydeH2O

7.8

2025-06-10

Summary

SecureFlashDxe: Incorrect UEFI variable attributes check allows usage of invalid certificate.

Vulnerability Details

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE-2025-4275 (Vendor ID: VU#211341)

A vulnerability in the digital signature verification process does not properly validate variable attributes which allows an attacker to bypass signature verification by creating a non-authenticated NVRAM variable. An attacker may to execute arbitrary signed UEFI code and bypass Secure Boot.

Solution Information

kernel 5.2, Version 05.2A.16
kernel 5.3, Version 05.39.16
kernel 5.4, Version 05.47.16
kernel 5.5, Version 05.55.16
kernel 5.6, Version 05.62.16
kernel 5.7, Version 05.71.16

Acknowledgements

Thanks to Nikolaj Schlej, independent firmware security researcher, for reporting the vulnerability and engaging in this coordinated disclosure.

Revision History

Revision #

Date

Description

2025-06-10

Initial Release

< Back to Security Pledge