New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

In late 2025, security researchers disclosed a serious vulnerability in the Unified Extensible Firmware Interface (UEFI) implementations of many popular motherboards produced by major manufacturers — ASRock, ASUS, GIGABYTE, and MSI. This flaw breaks a fundamental layer of platform security by allowing malicious peripherals to conduct Direct Memory Access (DMA) attacks before the operating system’s defenses are in place. Worse, the systems may appear protected while in reality they are not — creating a silent and dangerous attack surface. The Hacker News+1

Understanding the Context: What Is UEFI and Why It Matters

UEFI is a modern firmware standard that replaces legacy BIOS on most PCs. Its core responsibilities include:

Initiating hardware and CPU subsystems during boot
Loading and validating the operating system loader
Enforcing platform security features such as Secure Boot and DMA protections

Unlike traditional BIOS, UEFI provides extensive configurable security features such as Input-Output Memory Management Unit (IOMMU)-based protections. These are meant to prevent rogue hardware from bypassing CPU-mediated safeguards by accessing system memory directly. However, as the recent research reveals, when such protections aren’t initialized early enough, an attacker with physical access can exploit the gap. ESET

Technical Breakdown: How the Flaw Works

At the core of this vulnerability lies a mismatch between what the firmware reports and what is actually enforced during the early stages of the boot sequence.

DMA and the Threat Model

Direct Memory Access (DMA) is a hardware feature that allows certain devices (e.g., PCIe cards like high-speed NICs, accelerators, or Thunderbolt peripherals) to read and write to system memory without involving the CPU. When properly controlled by an IOMMU, DMA can be safe: the IOMMU acts as a “memory firewall” that restricts a device’s access to only permitted memory regions.

However, if the IOMMU is not configured before a device is given bus access, that device effectively has unrestricted memory privileges. That’s exactly what this flaw enables. BleepingComputer

The Root Cause: Improper IOMMU Initialization

In affected systems:

The firmware may indicate that Pre-Boot DMA Protection is enabled in BIOS/UEFI settings.
Yet during the critical early boot window, the IOMMU isn’t actually configured.
This creates a silent blind spot — the system believes it is secure, but protections are not yet active.
A malicious device plugged into a PCIe slot can then leverage this gap to read or modify system memory before the operating system and its security controls are fully active.

In security parlance, this is classified as a Protection Mechanism Failure — where the intended protection is not actually enforced when most needed. GIGABYTE

CVE Identifiers and Affected Platforms

The vulnerability has been catalogued with multiple Common Vulnerabilities and Exposures (CVE) identifiers, one per vendor, because of differences in firmware implementations:

Vendor	CVE Identifier	Affected Chipsets
ASRock	CVE-2025-14304	Intel 500/600/700/800 series
ASUS	CVE-2025-11901	Broad range of Intel Z/W/B/H series
GIGABYTE	CVE-2025-14302	Intel 600/700/800 series and AMD X870/B850/X670/B650 series
MSI	CVE-2025-14303	Intel 600 & 700 series

Each of these vulnerabilities received a CVSS score of 7.0 (High), reflecting significant risk if exploited.

Potential Risks and Exploit Scenarios

The most important thing to understand is that this vulnerability only affects the boot process before the operating system loads. This has broad implications:

1. Early-Boot Code Injection

Without IOMMU protections active, a malicious DMA-capable card could inject code into system memory before any OS-level defenses are present. Once the OS boots, that injected code could:

Compromise boot integrity
Modify kernel code
Hide itself from detection
Survive reboots, reinstalls, and even some firmware updates

This is akin to firmware-level persistence, which is extremely difficult to detect and mitigate. Reddit

2. Bypass of Anti-Cheat and Security Software

Riot Games — the company behind titles like Valorant — publicly disclosed that their security researchers identified this flaw in the context of hardware cheat detection. Because cheating tools sometimes leverage DMA to hide below the OS, faulty IOMMU initialization could allow advanced cheats to embed unnoticed. This led Riot’s anti-cheat system, Vanguard, to block launching games on systems with unpatched firmware until the BIOS is updated. The Verge+1

3. Deep Firmware Compromise

A sophisticated adversary with physical access — for example at a datacenter, enterprise lab, or even a conference environment — could use a malicious PCIe adapter to install advanced low-level malware that survives OS reinstallations. Once code is in memory before OS boot, rootkit-level persistence becomes possible.

Mitigations and What Vendors Are Doing

All affected vendors have responded with firmware updates:

BIOS/UEFI updates that correctly configure and enable the IOMMU earlier in the boot process
Updated descriptions of security settings like Pre-Boot DMA Protection
Explicit guidance to users to update their firmware

GIGABYTE, for instance, has published a detailed advisory and BIOS update schedule covering affected Intel and AMD platforms, and strongly recommends updating to the latest BIOS versions to ensure proper IOMMU initialization. GIGABYTE

User Recommendations

If your system uses a motherboard from ASRock, ASUS, GIGABYTE, or MSI:

Immediately check for a BIOS/UEFI update.
- Go to your motherboard vendor’s official support page.
- Identify the latest BIOS version with security updates.
Enable all relevant security features in UEFI.
- This includes Secure Boot, IOMMU, and Pre-Boot DMA Protection.
Apply firmware updates carefully.
- Follow your motherboard manual.
- Back up important data before updates.
Physical security matters.
- Since this attack requires physical access, ensure unauthorized personnel cannot access your machine’s internals.

Why This Matters for Security at Large

This flaw is a stark reminder that firmware remains a frontier of vulnerability in modern PCs:

UEFI is increasingly targeted by sophisticated attackers, including those delivering bootkits like BlackLotus, MoonBounce, and others that exploit firmware weaknesses. Wikipedia
Hardware-level protections are only as strong as their implementation. Misconfigurations at firmware level can nullify protections like IOMMU and DMA restrictions.

Modern systems rely on a chain of trust from firmware → boot loader → OS → applications. A gap early in that chain undermines every subsequent layer of protection.

The Broader Security Landscape

This incident is not isolated. Over recent years, firmware vulnerabilities have emerged regularly:

ESET researchers found Secure Boot bypass vulnerabilities in early 2025 affecting a wide range of UEFI systems. ESET
Historical UEFI bootkits have demonstrated that low-level attacks are feasible and extremely stealthy.

These events underline the importance of continuous firmware security audits, coordinated vulnerability disclosures, and rapid patch deployment.

Conclusion: A Critical Wake-Up Call

The discovery of a UEFI firmware flaw that leaves many mainstream motherboards vulnerable to early-boot DMA attacks is more than just a technical footnote — it’s a wake-up call for vendors, system integrators, and end users alike. While the exploitation vector requires physical access, the implications are deep:

System integrity and boot security can be undermined silently
Trusted hardware mechanisms like IOMMU may not be automatically enforced
Comprehensive firmware updates are essential

The fix is available, but awareness and timely updates are critical to protect systems from this foundational vulnerability. Staying up to date, configuring firmware security options, and ensuring physical security remain core pillars of a strong cybersecurity posture.

Online Armor

Search This Blog