UEFI Motherboard Flaw Enables Early-Boot DMA Attacks and Game Cheat Bypass
A critical vulnerability has been identified in the UEFI firmware of several major motherboard brands, including ASRock, ASUS, MSI, and Gigabyte, which allows attackers to exploit the system during the early boot process via PCIe-connected DMA devices. This flaw enables malicious actors to bypass operating system security controls by taking advantage of the Input-Output Memory Management Unit (IOMMU) not fully initializing upon boot, leaving system RAM exposed to unauthorized access and manipulation.
The vulnerability has significant implications for both general system security and the integrity of anti-cheat mechanisms in online games. Riot Games, the developer of Valorant, has responded by blocking players who do not update their BIOS with the latest security patches, as the flaw allows sophisticated cheating devices to evade detection by anti-cheat software. Major motherboard vendors have released security updates to address the issue, and users are strongly advised to apply these patches to mitigate the risk of exploitation.
Timeline
Dec 19, 2025
Riot Vanguard blocks or restricts unpatched vulnerable systems
Riot Games updated its Vanguard anti-cheat protections so vulnerable systems without the required BIOS fixes could be blocked from launching Valorant or restricted from competitive play. Riot said enforcement would focus on systems associated with cheating risk rather than all players universally.
Dec 19, 2025
Motherboard vendors release BIOS/firmware updates and advisories
ASRock, ASUS, Gigabyte, and MSI acknowledged the issue and began publishing BIOS or firmware updates to correct early IOMMU initialization. Vendor and CERT advisories urged users and administrators to apply the patches promptly, especially where physical access cannot be tightly controlled.
Dec 19, 2025
CERT coordination and CVEs assigned for the motherboard UEFI vulnerability
The vulnerability was coordinated with CERT/CC and CERT Taiwan, and multiple CVEs were assigned: CVE-2025-11901, CVE-2025-14302, CVE-2025-14303, and CVE-2025-14304. Advisories highlighted that firmware could falsely report DMA protection as enabled while systems remained exposed before the OS loaded.
Dec 18, 2025
Riot Games researchers discover early-boot IOMMU flaw in major motherboards
Nick Peterson and Mohamed Al-Sharifi of Riot Games identified a UEFI flaw affecting certain ASRock, ASUS, Gigabyte, and MSI motherboards. The bug leaves the IOMMU improperly initialized during early boot, enabling pre-boot DMA attacks via malicious PCIe devices with physical access.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
2 more from sources like security online info and toms hardware
Related Stories
Secure Boot Bypass Vulnerability in Framework Linux Laptops via Signed UEFI Shells
Researchers from Eclypsium discovered that nearly 200,000 Linux-based Framework laptops and desktops were shipped with signed UEFI shell components containing a powerful 'memory modify' (mm) command, which can be exploited to bypass Secure Boot protections. The mm command, intended for low-level diagnostics and firmware debugging, provides direct read and write access to system memory, including critical security variables such as gSecurity2. By abusing this command, an attacker can overwrite the gSecurity2 variable with NULL, effectively disabling signature verification for all subsequent UEFI module loads and breaking the Secure Boot trust chain. This vulnerability allows attackers to load bootkits such as BlackLotus, HybridPetya, and Bootkitty, which can evade operating system-level security controls and persist even after OS reinstallation. The attack can be automated using startup scripts, ensuring persistence across reboots. The issue is not the result of a supply chain compromise or malicious intent, but rather an oversight in the inclusion of diagnostic tools signed with trusted certificates. Eclypsium's research highlights that these signed UEFI shells, while legitimate, function as backdoors that undermine the security model of Secure Boot. The presence of such tools in production devices exposes users to significant risk, as attackers can leverage them for pre-OS infections, espionage, sabotage, or ransomware attacks. The gaming industry has already seen commercial cheat providers exploiting similar UEFI-level bypasses, and the same techniques could be adopted by nation-state actors or advanced persistent threats. Framework has acknowledged the issue and is working on remediation, with fixes planned for affected models such as the Framework 13 (11th and 12th Gen Intel). The discovery underscores the broader risk of trusted, signed components containing powerful functionality that can be misused, and the need for rigorous review of firmware-level tools included in shipping devices. The vulnerability demonstrates that even systems marketed as secure and repairable can harbor critical flaws if diagnostic utilities are not properly restricted. The incident serves as a warning to hardware manufacturers and the security community about the dangers of trusted but overly permissive firmware components. Eclypsium's findings have prompted a reassessment of trust models in firmware security, emphasizing the importance of minimizing attack surfaces in pre-boot environments. The case also illustrates how attackers are increasingly targeting lower layers of the computing stack to achieve persistence and evade detection. Framework's response and the ongoing remediation efforts will be closely watched by the industry as a test case for responsible disclosure and mitigation of firmware-level threats.
1 months ago
Critical Secure Boot Vulnerability in Qualcomm Chipsets
Qualcomm has issued a security alert regarding multiple newly discovered vulnerabilities in its chipset ecosystem, with particular emphasis on a critical flaw affecting the secure boot process. The most severe vulnerability, identified as CVE-2025-47372 and rated as critical with a CVSS score of 9.0, involves a buffer overflow during the boot sequence that could allow attackers to bypass verification routines, install persistent malicious firmware, or gain control of a device before the operating system loads. This flaw, classified under CWE-120 (Classic Buffer Overflow), impacts a wide range of Snapdragon and QAM devices, and Qualcomm has urged device manufacturers to integrate the necessary fixes into both current and future products. The vulnerability was discovered with the assistance of external researchers and has been highlighted in Qualcomm's December 2025 security bulletin. Security authorities, including the Canadian Centre for Cyber Security, have echoed Qualcomm's advisory, strongly recommending that users and administrators review the bulletin and apply all relevant updates to mitigate the risk. The flaw's presence at such a fundamental stage of device operation underscores the urgency for prompt remediation across affected hardware.
1 months ago
RMPocalypse Vulnerability Enables Full Compromise of AMD SEV-SNP Encrypted Virtual Machines
A critical vulnerability, identified as CVE-2025-0033 and dubbed RMPocalypse, has been discovered in AMD's Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) technology. This flaw allows attackers to bypass the core security guarantees of SEV-SNP, which is designed to protect the confidentiality and integrity of virtual machines (VMs) even in hostile environments. Researchers from ETH Zürich revealed that the vulnerability stems from incomplete protections in the initialization of the Reverse Map Paging (RMP) table, a key data structure that stores security metadata for all DRAM pages in the system. The RMP table, which maps system physical addresses to guest physical addresses, is only partially protected during VM startup, creating a window of opportunity for exploitation. By performing a single, carefully crafted 8-byte memory write to the RMP table, an attacker can corrupt its contents, undermining the isolation between VMs and the hypervisor. This attack vector enables adversaries with sufficient access to bypass SEV-SNP's hardware-enforced boundaries, potentially gaining full control over encrypted VMs. The implications are severe: attackers could access sensitive data, activate hidden debug functions, forge attestation checks, and even perform replay attacks by restoring previous VM states. AMD has acknowledged the issue and released firmware updates to address the vulnerability, urging customers to apply the patches promptly. The flaw highlights a fundamental challenge in confidential computing, where the security of the underlying mechanisms is as critical as the protections they provide. The vulnerability is particularly concerning for cloud service providers and enterprises relying on SEV-SNP for secure multi-tenant environments. Security experts recommend immediate patching and a review of VM isolation strategies in light of this disclosure. The RMPocalypse flaw demonstrates that even advanced hardware-based security features can be undermined by subtle implementation oversights. The research underscores the importance of rigorous security validation for all components involved in confidential computing. Organizations are advised to monitor for further advisories from AMD and to assess the potential exposure of their virtualized workloads. The incident serves as a reminder that attackers continue to seek and exploit weaknesses in foundational security technologies. The public disclosure of RMPocalypse has prompted renewed scrutiny of hardware-assisted virtualization security. The vulnerability's exploitation requires a high level of technical skill but poses a significant risk to environments where SEV-SNP is deployed. AMD's response includes not only patches but also updated guidance for secure deployment of SEV-SNP-enabled systems. The security community is closely watching for any signs of exploitation in the wild following the release of technical details. This event is expected to influence future designs of confidential computing architectures across the industry.
1 months ago