![iPhone 16: How to force restart, enter recovery mode, DFU mode, wireless restore, and more [Video]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/01/How-to-force-restart-recovery-DFU-mode-wireless-restore-nearby-iPhone-16.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
New UEFI Secure Boot Bypass Vulnerability Exposes Systems to Malicious Bootkits
A newly discovered vulnerability, CVE-2024-7344, has been identified as a critical flaw in the UEFI Secure Boot mechanism, potentially impacting the majority of UEFI-based systems. This vulnerability, uncovered by researchers at ESET, allows attackers to bypass Secure Boot protections and execute untrusted code during the boot process, enabling the deployment of malicious UEFI bootkits like […] The post New UEFI Secure Boot Bypass Vulnerability Exposes Systems to Malicious Bootkits appeared first on Cyber Security News.
A newly discovered vulnerability, CVE-2024-7344, has been identified as a critical flaw in the UEFI Secure Boot mechanism, potentially impacting the majority of UEFI-based systems.
This vulnerability, uncovered by researchers at ESET, allows attackers to bypass Secure Boot protections and execute untrusted code during the boot process, enabling the deployment of malicious UEFI bootkits like Bootkitty and BlackLotus. Alarmingly, this vulnerability affects systems even with Secure Boot enabled.
The flaw resides in a UEFI application signed with Microsoft’s “Microsoft Corporation UEFI CA 2011” third-party certificate. The vulnerability stems from the use of a custom PE loader instead of the standard and secure UEFI functions LoadImage and StartImage.
This oversight permits the loading of unsigned binaries from a specially crafted file named cloak.dat during system startup, bypassing Secure Boot integrity checks entirely.
Affected Software and Vendors
The vulnerable UEFI application is integrated into several real-time system recovery software suites developed by multiple vendors, including Howyar Technologies Inc., Greenware Technologies, Radix Technologies Ltd., SANFONG Inc., Wasay Software Technology Inc., Computer Education System Inc., and Signal Computer GmbH. The affected products include:
- Howyar SysReturn (versions before 10.2.023_20240919)
- Greenware GreenGuard (versions before 10.2.023-20240927)
- Radix SmartRecovery (versions before 11.2.023-20240927)
- Sanfong EZ-back System (versions before 10.3.024-20241127)
- WASAY eRecoveryRX (versions before 8.4.022-20241127)
- CES NeoImpact (versions before 10.1.024-20241127)
- SignalComputer HDD King (versions before 10.3.021-20241127).
Exploitation of CVE-2024-7344 enables attackers to replace legitimate bootloader binaries with malicious ones on the EFI System Partition (ESP), reads the ESET report.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
This allows unsigned code to execute during the early boot phase, granting attackers persistent access to the system while evading detection by operating system-level security tools such as endpoint detection and response (EDR) solutions.
Elevated privileges such as local administrator rights on Windows or root access on Linux—are required to deploy malicious files to the ESP.
ESET reported the vulnerability to the CERT Coordination Center (CERT/CC) in June 2024, leading to coordinated efforts with affected vendors to address the issue. Microsoft revoked vulnerable binaries as part of its January 14, 2025 Patch Tuesday update.
Users are advised to update their systems promptly by applying the latest UEFI revocations provided by Microsoft or their respective operating system vendors.
For Windows users, updates should be automatically applied through Windows Update. Linux users can obtain updates via the Linux Vendor Firmware Service.
This incident highlights broader concerns about third-party UEFI software security practices and Microsoft’s code-signing process for UEFI applications.
The discovery of such an “obviously unsafe” signed binary raises questions about how many other vulnerable bootloaders might exist undetected in third-party software.
ESET researchers have called for greater transparency in Microsoft’s review process for signing third-party UEFI applications to prevent similar vulnerabilities in the future.
To protect against potential exploitation:
- Apply all available updates for affected recovery software.
- Ensure that your system’s Secure Boot Forbidden Signature Database (DBX) is up-to-date.
- Regularly audit UEFI configurations for unauthorized changes.
While no real-world exploitation attempts have been detected so far, experts warn that vulnerabilities like CVE-2024-7344 could be weaponized by sophisticated threat actors if left unpatched.
This discovery underscores the importance of robust firmware security practices and timely patch management in safeguarding critical systems against emerging threats.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
The post New UEFI Secure Boot Bypass Vulnerability Exposes Systems to Malicious Bootkits appeared first on Cyber Security News.
