Security researchers have disclosed two publicly available exploits that bypass Secure Boot, a key technology designed to ensure devices load only trusted operating system images during startup. Microsoft has addressed one of these vulnerabilities but left the other unpatched.
In its latest monthly security update, Microsoft fixed CVE-2025-3052, a Secure Boot bypass flaw impacting over 50 device manufacturers. Several modules that enable Linux compatibility on devices from these vendors allow attackers with physical access to disable Secure Boot. This enables installation of malware that runs before the OS loads, a scenario known as an “evil maid” attack, which Secure Boot aims to prevent. Additionally, the vulnerability can be exploited remotely if an attacker already has administrative privileges, increasing stealth and control.
The root cause lies in a critical weakness in a tool used to flash firmware on motherboards by DT Research, a maker of rugged mobile devices. The exploit has been publicly available on VirusTotal since last year and was digitally signed in 2022, suggesting broader availability prior to that.
Though the tool was intended only for DT Research hardware, most Windows and Linux systems execute it during boot because it is authenticated with the “Microsoft Corporation UEFI CA 2011” certificate. This certificate, installed by manufacturers to support Linux, validates so-called shims—modules that aid Linux boot compatibility.
Microsoft’s patch adds cryptographic hashes of 14 variants of the DT Research tool to the DBX block list, a UEFI database that revokes or distrusts compromised signed modules. However, the second exploit remains unpatched, leaving some systems exposed.