A security issue in the Microsoft Windows Recovery Environment (WinRE) could allow attackers to bypass administrator-configured UEFI or BIOS passwords on GIGABYTE motherboards, potentially undermining firmware security controls and enabling unauthorized access to data.
The issue was reported by security researcher Beatriz Fresno Naumova and is tracked as VU#226679.
According to CERT/CC, WinRE can reboot a system via an alternate startup path that may not enforce the same firmware-level authentication requirements as those normally applied during a standard boot process. In some implementations, this can allow a user to circumvent administrator-configured UEFI password protections.
“Evil Maid” attack scenarios
The concern centers on the UEFI BootNext variable, a one-time boot setting stored in firmware NVRAM. BootNext takes precedence over the normal boot order during the next restart and can be used to direct a system to boot from an alternative device. While Secure Boot continues to verify the integrity and signatures of boot applications, CERT/CC notes that BootNext itself is not authenticated and that the UEFI specification leaves authentication and reset behavior largely to vendor implementations.
As a result, an attacker with physical access or sufficient Windows privileges to invoke recovery functions may be able to leverage WinRE's boot mechanisms to start an external operating system without being prompted for the configured UEFI administrator password.
CERT/CC warns that such access could facilitate “Evil Maid” attacks, where an adversary briefly gains access to an unattended device. Depending on the configuration, the technique could allow an attacker to modify boot settings, bypass operating-system security controls, or attempt offline attacks against stored data. The advisory also notes that some BitLocker protections could be weakened if additional pre-boot authentication mechanisms are not enabled.
GIGABYTE says the behavior is “by design”
While CERT/CC frames the issue as a security concern for organizations to evaluate, the hardware vendor GIGABYTE does not characterize the behavior as a flaw in its firmware.
In a security advisory, GIGABYTE acknowledged that certain motherboards and notebooks that support UEFI administrator passwords may exhibit this behavior when users enter WinRE and select the “Use a device” option to boot from external media.
However, the company describes the behavior as an inherent consequence of the current UEFI trust model. According to GIGABYTE, firmware is designed to trust BootNext requests originating from a running, trusted operating system. When such a request is issued via WinRE, the system may boot from the selected external device without being prompted again for the UEFI administrator password.
Rather than treating the issue as a firmware vulnerability to be remediated, GIGABYTE presents it as a broader ecosystem design trade-off involving operating systems, recovery environments, and UEFI firmware behavior.
The company argues that the most effective defenses are operational rather than firmware-based. Its recommendations include enabling full-disk encryption with BitLocker and TPM-based authentication, restricting access to WinRE and Advanced Startup features through Group Policy, controlling the use of external boot media, and implementing physical security measures to prevent unauthorized access to devices.
GIGABYTE said it is continuing to coordinate with industry partners and operating system vendors to evaluate possible improvements to the trust relationship between firmware and recovery environments, but stopped short of indicating that a firmware update is planned.
CERT/CC is warning organizations that firmware passwords may not provide the level of protection administrators expect when WinRE is available, and instead recommends deploying layered defenses, including BitLocker with TPM+PIN, restrictions on recovery environments, tighter control over external boot media, and stronger physical security measures.
Leave a Reply