Successful exploitation of this flaw enables attackers to run untrusted code early in the boot process before the operating system loads allowing for persistent access to the system. This could lead to the installation of UEFI bootkits which could survive reboots and even OS reinstallation, evading detection by conventional OS-based security tools like endpoint detection and response (EDR) systems. The vulnerability is particularly concerning because malicious actors could exploit it with elevated privileges (administrator on Windows, root on Linux) to deploy malicious files to the EFI system partition, where the vulnerable binaries reside.

Researchers responsible for the discovery responsibly disclosed the vulnerability to the CERT Coordination Center (CERT/CC) in June 2024. Following this, affected vendors released patches for their products, and Microsoft revoked the old, vulnerable binaries on January 14, 2025, as part of its Patch Tuesday update. Despite the timely patching of the vulnerability, the incident highlights broader concerns about the use of insecure signed UEFI binaries by third-party software vendors raising questions about how widespread these unsafe practices may be across the industry.

The vulnerability underscores the importance of ongoing vigilance in securing UEFI systems, particularly given the increasing number of vulnerabilities in the UEFI ecosystem in recent years. While Secure Boot is a critical layer of defense against boot-time malware, this vulnerability illustrates that even trusted software signed by established entities can still pose significant risks.

To further protect against such threats, security measures like managing access to the EFI system partition using Secure Boot customization, and utilizing remote attestation with a Trusted Platform Module (TPM) should be considered. The case serves as a reminder that even fundamental security features like Secure Boot are not impervious to sophisticated exploits.

Impact

• Gain Access
• Security Bypass

Indicators of Compromise

CVE

• CVE-2024-7344

Remediation

• Ensure that Microsoft’s Patch Tuesday update from January 14, 2025, is applied to revoke the vulnerable binaries signed by the "Microsoft Corporation UEFI CA 2011" certificate.
• Update UEFI applications from affected vendors (e.g., Howyar, Greenware, Radix, and others) to the patched versions released after the vulnerability was disclosed.
• Limit access to the EFI system partition to prevent unauthorized modifications, particularly by restricting write permissions to trusted administrators only (Windows: local admin, Linux: root).
• Review and configure Secure Boot settings to limit the types of UEFI binaries that can be loaded, reducing the risk of malicious code execution.
• Use remote attestation with a Trusted Platform Module (TPM) to verify the integrity of UEFI firmware and prevent unauthorized changes.
• Continuously monitor UEFI firmware for any unauthorized changes and perform regular security audits to detect potential exploits before they can cause damage.
• Raise awareness among third-party UEFI software vendors about safe signing practices and the risks associated with insecure UEFI loaders.