{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/746790#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nSystem Management Mode (SMM) callout vulnerabilities have been identified in UEFI modules present in Gigabyte firmware. An attacker could exploit one or more of these vulnerabilities to elevate privileges and execute arbitrary code in the SMM environment of a UEFI-supported processor. While AMI (the original firmware supplier) has indicated that these vulnerabilities were previously addressed, they have resurfaced in Gigabyte firmware and are now being publicly disclosed.\r\n\r\n### Description\r\n\r\nThe Unified Extensible Firmware Interface ([UEFI](https://uefi.org/)) specification defines an interface between an operating system (OS) and platform firmware. UEFI can interact directly with hardware using System Management Mode (SMM), a highly privileged CPU mode designed for handling low-level system operations. [SMM operations](https://edk2-docs.gitbook.io/edk-ii-secure-coding-guide/secure_coding_guidelines_intel_platforms/smm) are executed within a protected memory region called System Management RAM (SMRAM) and are only accessible through System Management Interrupt (SMI) handlers.\r\n\r\nSMI handlers act as a gateway to SMM and process data passed via specific communication buffers. Improper validation of these buffers or untrusted pointers from CPU save state registers can lead to serious security risks, including SMRAM corruption and unauthorized SMM execution. An attacker could abuse these SMI handlers to execute arbitrary code within the early boot phases, recovery modes, or before the OS fully loads.\r\n\r\nThe following vulnerabilities were identified in Gigabyte firmware implementations:\r\n\r\n- **CVE-2025-7029** : Unchecked use of the `RBX` register allows attacker control over `OcHeader` and `OcData` pointers used in power and thermal configuration logic, resulting in arbitrary SMRAM writes. (BRLY-2025-011)\r\n- **CVE-2025-7028** : Lack of validation of function pointer structures derived from `RBX` and `RCX` allows attacker control over critical flash operations via `FuncBlock`, affecting functions like `ReadFlash`, `WriteFlash`, `EraseFlash`, and `GetFlashInfo`. (BRLY-2025-010)\r\n- **CVE-2025-7027** : Double pointer dereference vulnerability involving the location of memory write from an unvalidated NVRAM Variable `SetupXtuBufferAddress` NVRAM and  the content for write from  from an attacker-controlled pointer based on the RBX register, can be used write arbitrary content to SMRAM. (BRLY-2025-009)\r\n- **CVE-2025-7026** : Attacker-controlled `RBX` register used as an unchecked pointer within the `CommandRcx0` function allows writes to attacker-specified memory in SMRAM. (BRLY-2025-008)\r\n\r\nAccording to AMI, these vulnerabilities were previously addressed via private disclosures, yet the vulnerable implementations remain in some OEM firmware builds such as in the case of Gigabyte. Gigabyte has issued updated firmware to address the vulnerabilities. Users are strongly advised to visit the Gigabyte support site to determine if their systems are affected and to apply the necessary updates.\r\n\r\n### Impact\r\n\r\nAn attacker with local or remote administrative privileges may exploit these vulnerabilities to execute arbitrary code in System Management Mode (Ring -2), bypassing OS-level protections. These vulnerabilities can be triggered via SMI handlers from within the operating system, or in certain cases, during early boot phases, sleep states, or recovery modes—before the OS fully loads.\r\n\r\nExploitation can disable UEFI security mechanisms such as Secure Boot and Intel BootGuard, enabling stealthy firmware implants and persistent control over the system. Because SMM operates below the OS, such attacks are also difficult to detect or mitigate using traditional endpoint protection tools.\r\n\r\n### Solution\r\n\r\nInstall the latest UEFI firmware updates provided by your PC vendor. Refer to the **Vendor Information** section below and Gigabyte’s [security website](https://www.gigabyte.com/Support/Security) for specific advisories and update instructions.  Because these vulnerabilities may affect firmware supplied through the supply chain, other PC OEM vendors may also be impacted. Monitor the **Vendor Information** section for updates as they become available.\r\n\r\n\r\n### Acknowledgements\r\n\r\nWe thank the Binarly REsearch team for responsibly disclosing these vulnerabilities to CERT/CC. We also acknowledge Gigabyte’s PSIRT for their collaboration and timely response.  This document was written by Vijay Sarvepalli.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"This BIOS update addresses critical security vulnerabilities (CVE-2025-7026, CVE-2025-7027, CVE-2025-7029) identified by BRLY.\r\nGIGABYTE strongly recommends all users update their system BIOS immediately to protect against potential security risks.\r\nThe following End-of-Life (EOL) models - IMB1900/J1800/J1900/J4005 will not receive BIOS updates.","title":"Vendor statment from GIGABYTE"},{"category":"other","text":"After review, AMI confirms that the vulnerabilities were previously identified and addressed in earlier security advisories which were published under NDA to downstream partners.  All actively supported AMI firmware products have already been updated to remediate this issue.\r\n\r\nWe encourage all downstream vendors and integrators to ensure they are using the latest AMI firmware releases and to apply all relevant security updates as outlined in our advisories.\r\n\r\nIf you have any further questions or require coordination support, please contact our Product Security Incident Response Team (PSIRT) at biossecurity@ami.com .","title":"Vendor statment from American Megatrends Incorporated (AMI)"},{"category":"other","text":"Confirm that the vulnerability in this notification is not related to any ASUS product","title":"Vendor statment from ASUSTeK Computer Inc."}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/746790"},{"url":"https://espport.gigabyte.com/","summary":"https://espport.gigabyte.com/"},{"url":"https://www.gigabyte.com/Support/Security","summary":"https://www.gigabyte.com/Support/Security"},{"url":"https://www.binarly.io/advisories","summary":"https://www.binarly.io/advisories"},{"url":"https://www.synacktiv.com/en/publications/through-the-smm-class-and-a-vulnerability-found-there","summary":"https://www.synacktiv.com/en/publications/through-the-smm-class-and-a-vulnerability-found-there"},{"url":"https://www.gigabyte.com/tw/Support/Security","summary":"Reference(s) from vendor \"GIGABYTE\""}],"title":"SMM callout vulnerabilities identified in Gigabyte UEFI firmware modules","tracking":{"current_release_date":"2025-07-15T17:39:28+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#746790","initial_release_date":"2025-07-11 15:40:18.863383+00:00","revision_history":[{"date":"2025-07-15T17:39:28+00:00","number":"1.20250715173928.5","summary":"Released on 2025-07-15T17:39:28+00:00"}],"status":"final","version":"1.20250715173928.5"}},"vulnerabilities":[{"title":"A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used to derive pointers (OcHeader, OcData) passed into power and thermal configuration logic.","notes":[{"category":"summary","text":"A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used to derive pointers (OcHeader, OcData) passed into power and thermal configuration logic. These buffers are not validated before performing multiple structured memory writes based on OcSetup NVRAM values, enabling arbitrary SMRAM corruption and potential SMM privilege escalation."}],"cve":"CVE-2025-7029","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#746790"}],"product_status":{"known_affected":["CSAFPID-3e93ac4e-3592-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-3e93e1dc-3592-11f1-8422-122e2785dc9f","CSAFPID-3e942a0c-3592-11f1-8422-122e2785dc9f","CSAFPID-3e94629c-3592-11f1-8422-122e2785dc9f","CSAFPID-3e949ece-3592-11f1-8422-122e2785dc9f","CSAFPID-3e94fda6-3592-11f1-8422-122e2785dc9f"]}},{"title":"A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used as an unchecked pointer in the CommandRcx0 function.","notes":[{"category":"summary","text":"A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used as an unchecked pointer in the CommandRcx0 function. If the contents at RBX match certain expected values (e.g., '$DB$' or '2DB$'), the function performs arbitrary writes to System Management RAM (SMRAM), leading to potential privilege escalation to System Management Mode (SMM) and persistent firmware compromise."}],"cve":"CVE-2025-7026","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#746790"}],"product_status":{"known_affected":["CSAFPID-3e956250-3592-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-3e95a418-3592-11f1-8422-122e2785dc9f","CSAFPID-3e95feb8-3592-11f1-8422-122e2785dc9f","CSAFPID-3e96415c-3592-11f1-8422-122e2785dc9f","CSAFPID-3e9692a6-3592-11f1-8422-122e2785dc9f","CSAFPID-3e96f1e2-3592-11f1-8422-122e2785dc9f"]}},{"title":"A vulnerability in the Software SMI handler (SwSmiInputValue 0x20) allows a local attacker to supply a crafted pointer (FuncBlock) through RBX and RCX register values.","notes":[{"category":"summary","text":"A vulnerability in the Software SMI handler (SwSmiInputValue 0x20) allows a local attacker to supply a crafted pointer (FuncBlock) through RBX and RCX register values. This pointer is passed unchecked into multiple flash management functions (ReadFlash, WriteFlash, EraseFlash, and GetFlashInfo) that dereference both the structure and its nested members, such as BufAddr. This enables arbitrary read/write access to System Management RAM (SMRAM), allowing an attacker to corrupt firmware memory, exfiltrate SMRAM content via flash, or install persistent implants."}],"cve":"CVE-2025-7028","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#746790"}],"product_status":{"known_affected":["CSAFPID-3e97d7ec-3592-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-3e9805d2-3592-11f1-8422-122e2785dc9f","CSAFPID-3e9847e0-3592-11f1-8422-122e2785dc9f","CSAFPID-3e98733c-3592-11f1-8422-122e2785dc9f","CSAFPID-3e989f24-3592-11f1-8422-122e2785dc9f","CSAFPID-3e98dc14-3592-11f1-8422-122e2785dc9f"]}},{"title":"A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control both the read and write addresses used by the CommandRcx1 function.","notes":[{"category":"summary","text":"A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control both the read and write addresses used by the CommandRcx1 function. The write target is derived from an unvalidated UEFI NVRAM variable (SetupXtuBufferAddress), while the write content is read from an attacker-controlled pointer based on the RBX register. This dual-pointer dereference enables arbitrary memory writes within System Management RAM (SMRAM), leading to potential SMM privilege escalation and firmware compromise."}],"cve":"CVE-2025-7027","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#746790"}],"references":[{"url":"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00562.html","summary":"The OverClockSmiHandler was previously deprecated as part of Intel Corporation publishing CVE-2021-0157","category":"external"}],"product_status":{"known_affected":["CSAFPID-3e995aea-3592-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-3e99883a-3592-11f1-8422-122e2785dc9f","CSAFPID-3e99b292-3592-11f1-8422-122e2785dc9f","CSAFPID-3e99f0c2-3592-11f1-8422-122e2785dc9f","CSAFPID-3e9a2a42-3592-11f1-8422-122e2785dc9f","CSAFPID-3e9a5b70-3592-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"GIGABYTE","product":{"name":"GIGABYTE Products","product_id":"CSAFPID-3e93ac4e-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Phoenix Technologies","product":{"name":"Phoenix Technologies Products","product_id":"CSAFPID-3e93e1dc-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Insyde Software Corporation","product":{"name":"Insyde Software Corporation Products","product_id":"CSAFPID-3e942a0c-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"ASUSTeK Computer Inc.","product":{"name":"ASUSTeK Computer Inc. Products","product_id":"CSAFPID-3e94629c-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-3e949ece-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"American Megatrends Incorporated (AMI)","product":{"name":"American Megatrends Incorporated (AMI) Products","product_id":"CSAFPID-3e94fda6-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"GIGABYTE","product":{"name":"GIGABYTE Products","product_id":"CSAFPID-3e956250-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Phoenix Technologies","product":{"name":"Phoenix Technologies Products","product_id":"CSAFPID-3e95a418-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"American Megatrends Incorporated (AMI)","product":{"name":"American Megatrends Incorporated (AMI) Products","product_id":"CSAFPID-3e95feb8-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Insyde Software Corporation","product":{"name":"Insyde Software Corporation Products","product_id":"CSAFPID-3e96415c-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"ASUSTeK Computer Inc.","product":{"name":"ASUSTeK Computer Inc. Products","product_id":"CSAFPID-3e9692a6-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-3e96f1e2-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"GIGABYTE","product":{"name":"GIGABYTE Products","product_id":"CSAFPID-3e97d7ec-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Phoenix Technologies","product":{"name":"Phoenix Technologies Products","product_id":"CSAFPID-3e9805d2-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Insyde Software Corporation","product":{"name":"Insyde Software Corporation Products","product_id":"CSAFPID-3e9847e0-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"ASUSTeK Computer Inc.","product":{"name":"ASUSTeK Computer Inc. Products","product_id":"CSAFPID-3e98733c-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-3e989f24-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"American Megatrends Incorporated (AMI)","product":{"name":"American Megatrends Incorporated (AMI) Products","product_id":"CSAFPID-3e98dc14-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"GIGABYTE","product":{"name":"GIGABYTE Products","product_id":"CSAFPID-3e995aea-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Phoenix Technologies","product":{"name":"Phoenix Technologies Products","product_id":"CSAFPID-3e99883a-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-3e99b292-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Insyde Software Corporation","product":{"name":"Insyde Software Corporation Products","product_id":"CSAFPID-3e99f0c2-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"ASUSTeK Computer Inc.","product":{"name":"ASUSTeK Computer Inc. Products","product_id":"CSAFPID-3e9a2a42-3592-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"American Megatrends Incorporated (AMI)","product":{"name":"American Megatrends Incorporated (AMI) Products","product_id":"CSAFPID-3e9a5b70-3592-11f1-8422-122e2785dc9f"}}]}}