Security researchers have identified two major exploits in the Secure Boot system, both capable of sidestepping one of the most important protections on modern PCs. Microsoft has issued a patch for one of them. The other remains untouched, even as it offers attackers a nearly universal method to bypass security during the startup process.
This week’s patch from Microsoft addresses a vulnerability known as CVE-2025-3052. It impacts over 50 manufacturers whose systems rely on Linux modules to support boot processes. The flaw allows someone with physical access to a device to disable Secure Boot entirely. Once that’s done, they can install malware that loads before the operating system starts. The attack is particularly concerning because it’s stealthy and persistent, and in cases where a hacker already has administrative access, it can be triggered remotely.
The vulnerability traces back to firmware flashing software used in devices made by DT Research. Although meant for a specific line of rugged mobile devices, the tool was broadly trusted by systems because it carried a Microsoft-signed certificate. That certificate—part of Microsoft’s effort to support Linux compatibility—means many machines would unknowingly run the tool during startup. The fix released this week updates the DBX, a block list used by Secure Boot, to blacklist fourteen known versions of the compromised module.
The larger issue here is how a single, signed component from one vendor can expose a wide swath of systems. It’s a reminder that trust-based chains like Secure Boot are only as strong as their weakest link. The firm that discovered the problem, Binarly, rated it a high-severity flaw. Linux vendors including Red Hat have also moved to patch their systems.
Secure Boot, a standard rolled out more than ten years ago, uses digital signatures to ensure only approved software runs during system boot. It’s meant to prevent low-level tampering and establish a secure baseline for the OS. Microsoft and various government certifications require it to be active by default.
The second exploit, CVE-2025-47827, is arguably just as dangerous—yet Microsoft has not acted. It was uncovered by researcher Zack Didcott and affects IGEL, a Linux kernel module used for volume management. Like the first flaw, the vulnerable software is signed with a Microsoft-trusted key. This means nearly any device that supports Secure Boot will allow it to run.
Attackers need only a brief window of physical access to exploit it. By booting into IGEL, they can modify the boot loader and slip in malicious code. Despite being notified, Microsoft hasn’t taken steps to revoke the signing key, leaving the door open for abuse.
Firmware security firm Eclypsium has confirmed that the IGEL-related vulnerability offers a reliable method to break Secure Boot. The issue lies in the broad trust placed in Microsoft’s third-party UEFI certificate. As long as that certificate remains unrevoked, any component signed with it—including this flawed shim—can subvert boot protections on most PC-like devices.
For users, the only defenses are applying available patches and keeping devices physically secure. But the situation highlights a bigger problem: Secure Boot was designed to prevent this exact type of attack. When trusted components go unchecked, that foundation quickly erodes.
