CVE-2025-4275

HIGH

UEFI - Code Injection

Title source: llm

Description

A vulnerability in the digital signature verification process does not properly validate variable attributes which allows an attacker to bypass signature verification by creating a non-authenticated NVRAM variable. An attacker may to execute arbitrary signed UEFI code and bypass Secure Boot.

Exploits (1)

nomisec WORKING POC 39 stars

by NikolajSchlej · poc

https://github.com/NikolajSchlej/Hydroph0bia

View Code ZIP pw:eip

References (2)

[Various Sources] https://www.insyde.com/security-pledge/sa-2025002/

[Third Party Advisory, US Government Resource] https://www.kb.cert.org/vuls/id/211341

Scores

CVSS v3 7.8

EPSS 0.0007

EPSS Percentile 21.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

Status published

Products (6)

Insyde Software/InsydeH2O Kernel 5.2 - 05.2A.16

Insyde Software/InsydeH2O Kernel 5.3 - 05.39.16

Insyde Software/InsydeH2O Kernel 5.4 - 05.47.16

Insyde Software/InsydeH2O Kernel 5.5 - 05.55.16

Insyde Software/InsydeH2O Kernel 5.6 - 05.62.16

Insyde Software/InsydeH2O Kernel 5.7 - 05.71.16

Published Jun 11, 2025

Tracked Since Feb 18, 2026