Researchers have discovered two publicly available exploits that fully bypass the protections offered by Secure Boot, an industry-wide security measure designed to ensure devices only load secure operating system images during startup. Microsoft is addressing one exploit while the other remains a potential threat.

As part of its monthly security update,Microsoft patched CVE-2025-3052, a Secure Boot bypass vulnerability affecting over 50 device manufacturers. This vulnerability allows an attacker with physical access to disable Secure Boot on devices from these manufacturers running Linux,afterward installing malware that runs before the operating system. These “evil maid” attacks are precisely what Secure Boot aims to prevent. The vulnerability can also be exploited remotely by attackers who have already gained administrative control, making infections stealthier and more potent.

A Single Point of Failure

The root cause of the vulnerability lies in a critical flaw within a tool used to flash firmware images on motherboards of devices manufactured by DT Research, a maker of rugged mobile devices. This tool has been available on VirusTotal since last year and was digitally signed in 2022, suggesting its availability through other channels since at least then.

Even though intended solely for DT Research devices, the vulnerable module can be executed by most machines running Windows or Linux during boot-up. This is because the module is authenticated by “Microsoft Corporation UEFI CA 2011,” a cryptographic certificate signed by Microsoft and pre-installed on affected machines to ensure compatibility with Linux. the recent Microsoft patch adds cryptographic hashes for 14 variants of the DT Research tool to a block list within the DBX, a database containing revoked or untrusted signed modules.

“evil maid” attacks are precisely the threat Secure Boot is designed to prevent.

Understanding Secure Boot