CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

UEFI Flaw Enables Early-Boot DMA Attacks on Multiple Motherboard Vendors

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A security vulnerability in UEFI implementations on motherboards from ASRock, ASUS, GIGABYTE, and MSI allows early-boot DMA attacks. The flaw, discovered by researchers at Riot Games, occurs due to a discrepancy in DMA protection status, where the firmware indicates DMA protection is active but fails to enable the IOMMU during the boot phase. This gap allows malicious PCIe devices with physical access to read or modify system memory before the operating system's security features are established. The vulnerabilities, tracked as CVE-2025-14304, CVE-2025-11901, CVE-2025-14302, and CVE-2025-14303, affect various chipset series from the mentioned vendors. Successful exploitation could enable pre-boot code injection and access to sensitive data. Vendors have released firmware updates to address the issue, and users are advised to apply these updates promptly. The vulnerability was discovered by Riot Games researchers Nick Peterson and Mohamed Al-Sharifi, who worked with CERT Taiwan to coordinate a response. On vulnerable systems, some Riot Games titles, such as Valorant, will not launch due to the Vanguard system, which blocks the game to ensure system integrity.

Timeline

  1. 19.12.2025 10:25 2 articles · 9h ago

    UEFI Flaw Enables Early-Boot DMA Attacks on Multiple Motherboard Vendors

    A security vulnerability in UEFI implementations on motherboards from ASRock, ASUS, GIGABYTE, and MSI allows early-boot DMA attacks. The flaw, discovered by researchers at Riot Games, occurs due to a discrepancy in DMA protection status, where the firmware indicates DMA protection is active but fails to enable the IOMMU during the boot phase. This gap allows malicious PCIe devices with physical access to read or modify system memory before the operating system's security features are established. The vulnerabilities, tracked as CVE-2025-14304, CVE-2025-11901, CVE-2025-14302, and CVE-2025-14303, affect various chipset series from the mentioned vendors. Successful exploitation could enable pre-boot code injection and access to sensitive data. Vendors have released firmware updates to address the issue, and users are advised to apply these updates promptly. The vulnerability was discovered by Riot Games researchers Nick Peterson and Mohamed Al-Sharifi, who worked with CERT Taiwan to coordinate a response. On vulnerable systems, some Riot Games titles, such as Valorant, will not launch due to the Vanguard system, which blocks the game to ensure system integrity.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical ASUS Live Update Flaw Added to CISA KEV Catalog

CISA has added a critical flaw in ASUS Live Update (CVE-2025-59374, CVSS 9.3) to its KEV catalog due to active exploitation. The vulnerability stems from a supply chain compromise that allowed unauthorized modifications in certain versions, enabling attackers to perform unintended actions. The flaw is linked to the 2019 Operation ShadowHammer campaign by the APT41 group, which targeted around 600 specific devices. The attack was uncovered in January 2019, and Asus released a patch by March the same year. ASUS Live Update reached end-of-support on December 4, 2025, and CISA urges FCEB agencies to discontinue its use by January 7, 2026.

Open in new tab

RMPocalypse Vulnerability in AMD Secure Encrypted Virtualization

Academic researchers from ETH Zurich discovered a vulnerability in AMD processors that affects the integrity of confidential computing. The flaw, named RMPocalypse, allows a malicious hypervisor to corrupt the Reverse Map Table (RMP) during initialization, compromising the security guarantees of AMD's Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP). The vulnerability, tracked as CVE-2025-0033, impacts multiple AMD EPYC and EPYC Embedded series processors. AMD has released patches to OEMs, and Microsoft is working on updates for Azure Confidential Computing's AMD-based clusters. Supermicro has also acknowledged the vulnerability and will require BIOS updates for impacted motherboard SKUs. The RMPocalypse exploit enables attackers to break confidentiality and integrity guarantees of SEV-SNP, potentially allowing for debug access, fake attestation, VMSA state replay, and code injection. The exploit can be triggered by a single 8-byte write to the RMP, resulting in a full breach of confidentiality and integrity guarantees of SEV-SNP.

Open in new tab

Battering RAM Attack Bypasses Intel and AMD Cloud Security Protections

A group of academics from KU Leuven and the University of Birmingham have demonstrated a new vulnerability called Battering RAM. This vulnerability bypasses the latest defenses on Intel and AMD cloud processors, compromising Intel's Software Guard Extensions (SGX) and AMD's Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP). The attack leverages a custom-built, low-cost DDR4 interposer hardware hack to stealthily redirect physical addresses and gain unauthorized access to protected memory regions. The vulnerability affects systems using DDR4 memory, particularly those relying on confidential computing workloads in public cloud environments. Successful exploitation can allow a rogue cloud infrastructure provider or insider with limited physical access to compromise remote attestation and enable the insertion of arbitrary backdoors into protected workloads. The vulnerability was reported to the vendors earlier this year, but defending against Battering RAM would require a fundamental redesign of memory encryption itself. The attack is an evolution of the previous BadRAM attack, which exploited physical address aliasing to modify and replay encrypted memory on AMD SEV-SNP systems. The Battering RAM attack introduces dynamic memory aliases at runtime, allowing it to bypass Intel's and AMD's mitigations for BadRAM. Researchers from Georgia Institute of Technology and Purdue University have demonstrated a new attack called WireTap that also bypasses Intel's SGX security guarantees. WireTap uses a DDR4 memory-bus interposer to passively decrypt sensitive data, exploiting Intel's deterministic encryption. The WireTap attack can extract an SGX secret attestation key, allowing an attacker to sign arbitrary SGX enclave reports. WireTap and Battering RAM attacks are complementary, focusing on confidentiality and integrity respectively. WireTap can be used to undermine confidentiality and integrity guarantees in SGX-backed blockchain deployments. Intel and AMD have acknowledged the exploits but consider physical attacks on DRAM out of scope for their current products. Intel's cryptographic integrity protection mode of Intel Total Memory Encryption-Multi-Key (Intel TME-MK) can provide additional protection against alias-based attacks. The researchers' exploits demonstrate that confidential computing is not invincible, and defenders should reevaluate threat models to better understand and prepare for physical attacks.

Open in new tab

UNC5174 Exploits VMware Zero-Day Privilege Escalation Since October 2024

A China-linked threat actor, UNC5174, has been exploiting a zero-day privilege escalation vulnerability in VMware products since mid-October 2024. The flaw, CVE-2025-41244, affects multiple VMware products and allows local attackers to escalate privileges to root on affected virtual machines. The vulnerability was discovered in May 2025 and patched in VMware Tools 12.4.9 and later versions. The flaw is rooted in the get_version() function, which can be exploited by placing a malicious binary in a writable directory. UNC5174 has been observed using this method to gain elevated access and execute code on compromised systems. The exact payload and nature of the attacks remain unclear. Broadcom has confirmed the patch for the vulnerability in VMware Aria Operations and VMware Tools. NVISO released a proof-of-concept exploit demonstrating privilege escalation on vulnerable VMware software. UNC5174 has been linked to previous attacks on U.S. defense contractors, UK government entities, Asian institutions, and the cybersecurity firm SentinelOne, exploiting vulnerabilities such as F5 BIG-IP CVE-2023-46747 and ConnectWise ScreenConnect flaw. The exploitation of CVE-2025-41244 is considered trivial, potentially benefiting multiple malware strains. NVISO identified the vulnerability in mid-May 2025 during an incident response engagement with UNC5174. Broadcom disclosed three vulnerabilities on September 29, 2025, including CVE-2025-41244. The CVSS severity rating for CVE-2025-41244 is 7.8, classified as high. On October 31, 2025, CISA added CVE-2025-41244 to its Known Exploited Vulnerabilities catalog. FCEB agencies have until November 20, 2025, to patch their systems. CISA urged all organizations to prioritize patching this vulnerability.

Open in new tab

VMScape attack breaks guest-host isolation on AMD, Intel CPUs

A new speculative execution attack named VMScape allows malicious virtual machines (VMs) to leak cryptographic keys from an unmodified QEMU hypervisor process running on modern AMD or Intel CPUs. The attack bypasses existing Spectre mitigations and threatens to leak sensitive data by leveraging speculative execution. It affects all AMD Zen 1 to Zen 5 processors and Intel’s Coffee Lake CPUs, but not Raptor Cove or Gracemont. The attack does not require compromising the host and works on unmodified virtualization software with default mitigations enabled on the hardware. The VMScape attack targets QEMU, the user-mode hypervisor component, by influencing indirect branch prediction in a host user process due to shared Branch Prediction Unit (BPU) structures. The attack uses a Spectre-BTI (Branch Target Injection) technique to misguide a target indirect branch in QEMU, enabling the leakage of secret data. The ETH Zurich research team reported the findings to AMD and Intel, who have released patches and security bulletins. Linux kernel developers have also released patches to mitigate the issue.

Open in new tab