Firmware security company Binarly has revealed that GIGABYTE's UEFI firmware contains four critical vulnerabilities that could expose over 240 different motherboard models to undetectable bootkits that cannot be removed by reinstalling. These vulnerabilities, identified as CVE‑2025‑7029 through CVE‑2025‑7026, have a high severity rating of 8.2 on the CVSS scale and are located in System Management Mode, which is activated before the operating system starts. An attacker with administrator privileges, either local or remote, could take advantage of these vulnerabilities to take control of System Management Interrupt handlers and insert malicious code into System Management RAM. Since memory controls the entire boot process, any malicious code remains hidden beneath the operating system and can survive disk wipes and Secure Boot checks, allowing the attacker to maintain control of the system.
All four vulnerabilities stem from American Megatrends reference code that was shared with OEM partners under non‑disclosure agreements earlier this year. While GIGABYTE customizes this base firmware, it did not provide the necessary fixes to end users. Binarly notified CERT/CC on April 15, and GIGABYTE acknowledged receipt on June 12, but a public advisory was not released until Bleeping Computer reporters inquired on Monday. Users are advised to visit GIGABYTE's support page to download and install the updated BIOS versions using the Q-Flash utility, and then re-enable Secure Boot. Devices that GIGABYTE has deemed end of life may not receive a patch. The company states that only Intel-based boards are affected, with AMD boards remaining unaffected. Users can also utilize Binarly's risk Hunt scanner to check for exposure. According to Binarly CEO Alex Matrosov, these vulnerabilities underscore how flaws in inherited reference code can silently spread through the hardware supply chain. GIGABYTE has identified the following Intel-based motherboards as affected: H110, Z170, H170, B150, Q170, Z270, H270, B250, Q270, Z370, B365, Z390, H310, B360, Q370, C246, Z490, H470, H410, W480, Z590, B560, H510, and Q570. At the time of writing, no AMD chipset-based motherboards are affected, making all AMD boards likely immune to this vulnerability.
