Four high-severity vulnerabilities in the System Management Mode (SMM) components of UEFI firmware have been identified in Gigabyte motherboard models, potentially enabling attackers to gain Ring-2 code execution and install persistent firmware implants.
Though previously addressed by the firmware vendor AMI, these flaws were reintroduced in Gigabyte's firmware builds and publicly disclosed in July 2025.
The issues were discovered by the Binarly REsearch team and coordinated with CERT/CC, which published an advisory late last week. The vulnerabilities are present in Gigabyte devices using the AMI firmware stack, specifically within the OverClockSmiHandler module in SMM code.
- CVE-2025-7029 – Memory corruption via unchecked RBX register use: Allows an attacker to control pointers to OcHeader and OcData, resulting in arbitrary writes to SMRAM.
- CVE-2025-7028 – Function pointer overwrite via RBX and RCX manipulation: Enables attacker control of FuncBlock, a structure used for flash memory operations like ReadFlash, WriteFlash, and EraseFlash.
- CVE-2025-7027 – Double pointer dereference with attacker-controlled NVRAM and RBX: Facilitates arbitrary memory writes based on unvalidated data, allowing precise targeting of SMRAM.
- CVE-2025-7026 – Unchecked pointer use in CommandRcx0 function: Another SMRAM write primitive, with the attacker controlling the write location entirely via RBX.
Each vulnerability provides a separate path to subverting firmware protections and installing malicious code that persists across reboots, reinstalls, and even hardware changes. These flaws are exploitable by attackers with local or remote administrative access and can be triggered during boot, sleep state transitions, or system recovery, often before the OS loads.
In each case, attacker-controlled input from CPU registers (RBX, RCX) is used in SMI handlers without proper validation, leading to direct SMRAM corruption through predictable pointer arithmetic and overwrite of internal flash operation structures. This could give attackers the ability to bypass UEFI-level protections like Secure Boot and BootGuard, and install stealthy firmware implants undetectable by OS-level tools.
The four vulnerabilities have varying impact on Gigabyte motherboard models (up to 240 impacted), many of which use Intel's H110, B150, and X150/X170 chipsets. These include popular consumer, gaming, and SMB-class boards.
These devices run firmware provided by AMI but customized and integrated by Gigabyte. According to CERT/CC, the same vulnerable code was previously patched upstream by AMI but was reintroduced in downstream Gigabyte builds, likely due to regression or supply chain mismanagement.
Currently, it is unclear whether Gigabyte has released fixes for the listed flaws and for which models, as the hardware vendor has not yet published a bulletin on its security center. Still, applying the latest firmware update available for your motherboard model is recommended. The attacks aren't easy to exploit and require advanced knowledge and physical access, so the risk is low for consumers. For critical infrastructure environments, restrictions should be placed to protect potentially vulnerable systems.
Leave a Reply