CVE-2025-4275

Summary

A vulnerability in the digital signature verification process does not properly validate variable attributes which allows an attacker to bypass signature verification by creating a non-authenticated NVRAM variable. An attacker may to execute arbitrary signed UEFI code and bypass Secure Boot.

Affected Software

VendorProductVersion RangeStatus
Insyde SoftwareInsydeH2OKernel 5.2 < 05.2A.16affected
Insyde SoftwareInsydeH2OKernel 5.3 < 05.39.16affected
Insyde SoftwareInsydeH2OKernel 5.4 < 05.47.16affected
Insyde SoftwareInsydeH2OKernel 5.5 < 05.55.16affected
Insyde SoftwareInsydeH2OKernel 5.6 < 05.62.16affected
Insyde SoftwareInsydeH2OKernel 5.7 < 05.71.16affected

Weaknesses

  • cwe-284: Improper Access Control

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References