Skip to content

UEFI Secure Boot vulnerability allows malicious bootkit installation

  • by
  • 2 min read

Security researchers have disclosed a now-patched security vulnerability allowing attackers to bypass the Secure Boot feature in Unified Extensible Firmware Interface (UEFI) systems. If exploited successfully, the flaw lets an attacker execute malicious or untrusted code during the system boot process, irrespective of the operating system installed.

The bug lies in a UEFI application signed by the Microsoft Corporation UEFI CA 2011 third-party UEFI certificate. The affected application is a part of multiple real-time system recovery software suites developed by Howyar Technologies Inc., Greenware Technologies, Radix Technologies Ltd., SANFONG Inc., Wasay Software Technology Inc., Computer Education System Inc., and Signal Computer GmbH. The following programs are affected:

  • Howyar SysReturn before version 10.2.023_20240919
  • Greenware GreenGuard before version 10.2.023-20240927
  • Radix SmartRecovery before version 11.2.023-20240927
  • Sanfong EZ-back System before version 10.3.024-20241127
  • WASAY eRecoveryRX before version 8.4.022-20241127
  • CES NeoImpact before version 10.1.024-20241127
  • SignalComputer HDD King before version 10.3.021-20241127
The bug allows malicious code to be executed during early system boot. | Source: ESET

Security researchers at ESET detected the vulnerability, explaining that “the vulnerability is caused by the use of a custom PE loader instead of using the standard and secure UEFI functions LoadImage and StartImage.” As a result, the application allows any UEFI binary to load, even an unsigned one, as long as it has a specially crafted file called cloak.dat. The vulnerability has been dubbed CVE-2024-7344 and has a 6.7 CVSS rating.

Any code executed during the early boot phase where the vulnerability lies can persist on the system, which can then potentially load malicious kernel extensions that can survive reboots and even entire OS reinstallations. It can also hide from OS-based anti-virus or anti-malware programs.

Thankfully, it was addressed in Microsoft’s first Patch Tuesday update in 2025. Redmond addressed three actively exploited bugs in this update as well, namely CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335. A total of 161 security vulnerabilities across its software portfolio were addressed in its first big security update for 2025.

In the News: Avery website hacked, customer credit card data stolen

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

DeepSeek iOS app sends unencrypted data to ByteDance servers

Mumbai corporate employee duped of Rs 11 lakh in parcel scam

UK demands Apple to provide access to encrypted iCloud data

Meta torrented pirated books to train its AI models

New malware uses GTM to skim credit cards from Magento stores

Hugging Face AI models compromised by new ‘nullifAI’ attack

>