CVE-2025-4275

HIGH

InsydeH2O Kernel 5.2-5.7 - Secure Boot Bypass via NVRAM Variable Signature Verification Flaw

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-4275. PoCs published by NikolajSchlej.

AI-analyzed exploit summary This PoC exploits a vulnerability in UEFI firmware by manipulating the SecureFlashVariable to achieve arbitrary code execution in the firmware context. The exploit leverages a crafted variable buffer to trigger a secure flash operation, potentially leading to privilege escalation or persistent code execution.

Description

A vulnerability in the digital signature verification process does not properly validate variable attributes which allows an attacker to bypass signature verification by creating a non-authenticated NVRAM variable. An attacker may to execute arbitrary signed UEFI code and bypass Secure Boot.

Exploits (1)

nomisec WORKING POC 39 stars

by NikolajSchlej · poc

https://github.com/NikolajSchlej/Hydroph0bia

View Code ZIP pw:eip

This PoC exploits a vulnerability in UEFI firmware by manipulating the SecureFlashVariable to achieve arbitrary code execution in the firmware context. The exploit leverages a crafted variable buffer to trigger a secure flash operation, potentially leading to privilege escalation or persistent code execution.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: UEFI firmware with SecureFlash functionality

No auth needed

Prerequisites: Physical or administrative access to the target system · UEFI firmware with the vulnerable SecureFlash implementation

MITRE ATT&CK

T1542.001 - System Firmware

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Various Sources

https://www.insyde.com/security-pledge/sa-2025002/

Third Party Advisory, US Government Resource

https://www.kb.cert.org/vuls/id/211341

Scores

CVSS v3 7.8

EPSS 0.0040

EPSS Percentile 31.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

Status published

Products (6)

Insyde Software/InsydeH2O Kernel 5.2 - 05.2A.16

Insyde Software/InsydeH2O Kernel 5.3 - 05.39.16

Insyde Software/InsydeH2O Kernel 5.4 - 05.47.16

Insyde Software/InsydeH2O Kernel 5.5 - 05.55.16

Insyde Software/InsydeH2O Kernel 5.6 - 05.62.16

Insyde Software/InsydeH2O Kernel 5.7 - 05.71.16

Published Jun 11, 2025

Tracked Since Feb 18, 2026