Four UEFI Flaws in GIGABYTE Motherboards Expose 240+ Models to Persistent Bootkits

[AleksandarK]

Firmware security firm Binarly disclosed that four serious vulnerabilities in GIGABYTE's UEFI firmware put more than 240 different motherboard models at risk of undetectable, reinstall-proof bootkits. Each of the flaws, tracked as CVE‑2025‑7029 through CVE‑2025‑7026, carries a high severity score of 8.2 on the CVSS scale and resides in System Management Mode, which activates before any operating system starts. An attacker with administrator privileges, whether local or remote, could exploit these issues to hijack System Management Interrupt handlers and inject arbitrary code into System Management RAM. Because memory controls every step of the boot process, any malicious implant remains hidden beneath the operating system and survives disk wipes and Secure Boot checks, allowing the attacker to maintain persistent control of the machine.

All four bugs originate in American Megatrends reference code that was quietly shared with OEM partners under non‑disclosure agreements earlier this year. Although Gigabyte customizes that base firmware, it did not pass along the necessary fixes to end users. Binarly alerted CERT/CC on April 15, and GIGABYTE confirmed receipt on June 12, but no public advisory appeared until Bleeping Computer reporters inquired on Monday. Users should visit GIGABYTE's support page to find and install the updated BIOS versions using the Q-Flash utility, and then re-enable Secure Boot. Devices that GIGABYTE has declared end of life may never see a patch. The company also claims only Intel-based boards are affected, leaving AMD boards untouched. Users can also run Binarly's free risk Hunt scanner to check for exposure. According to Binarly CEO Alex Matrosov, these vulnerabilities highlight how inherited reference‑code flaws can quietly spread through the hardware supply chain.




GIGABYTE claims only the following Intel-based motherboards are affected: H110, Z170, H170, B150, Q170, Z270, H270, B250, Q270, Z370, B365, Z390, H310, B360, Q370, C246, Z490, H470, H410, W480, Z590, B560, H510, and Q570. No AMD chipset-based motherboard is affected at the time of writing, probably making all AMD boards immune from this vulnerability.

View at TechPowerUp Main Site | Source

 

[AGlezB]

Noooooooooo!

EDIT:
Gigabyte says this vulnerabilities only affects Intel systems and I'm on AMD so

@AleksandarK I don't know if Gigabyte's claim is true or not but it might no be a bad idea to mention in the post the issue might not affect AMD.

 

[Onasi]

So, if “earlier this year” is to be taken at face value, any boards with UEFI versions predating 2025 are safe, correct?

 

[Event Horizon]

This isn't a huge deal to most people, but it's still very disappointing.

 

[_roman_]

Gigabyte never disappoints

Gigabyte will even screw up in making screwdrivers /sarcasm (gigglebyte)

The issue is relevant. Unsecure gaming only windows 11 pro could patch a gigglebyte board. That tainted giglebyte board could circumvent another operating system and data on the same gigglebyte mainboard. Therefore high impact. Live ISO Images for updating uefi could taint gigglebyte mainboard and therefore introduce permanent security holes on gigglebyte. This is invisible to the end user and operating system


... it did not pass along the necessary fixes to end users. = did not read and apply updates for the current in use binary or non binary code

Gigabyte, ASUS, MSI - a simple fix. It's called coreboot or libreboot last time checked that project years ago.

 

[Shihab]

@AleksandarK I don't know if Gigabyte's claim is true or not but it might no me a bad idea to mention in the post the issue might not affect AMD.

And in the headline, please.
Spare someone else the mini heart attack... -_-

 

[Yraggul666]

gigaBUTT strikes again ROFL
Welp at least they're not exploding...yet

 

[mechtech]

“The company also claims only Intel-based boards are affected, leaving AMD boards untouched. ”

Whew…….

Not me, hopefully……

And fix it gigabyte

 

[pressing on]

And in the headline, please.
Spare someone else the mini heart attack... -_-

The Gigabyte statement on its website is not as clear cut as you might hope for. It says "...Affected platforms include (but are not limited to)..." followed by a list of Intel platforms.

The Intel list does not include anything more recent than Z590. Checking on a Gigabyte Z590 model shows a BIOS update dated June 10 2025 with this wording "...This BIOS update addresses a potential security issue and is highly recommended for all users. Please update promptly to ensure continued system security.". The previous BIOS update for this particular board was December 19 2023 suggesting this issue has been around for a while.

There was no sign of any such BIOS updates on a sample of Gigabyte AMD boards so this is almost certainly an Intel issue only.

 

[Shihab]

So, if “earlier this year” is to be taken at face value, any boards with UEFI versions predating 2025 are safe, correct?

Quite the opposite, it seems.
The affected boards are all old. Skylake thru Rocket Lake.
https://www.gigabyte.com/Support/Security/2302

The Gigabyte statement on its website is not as clear cut as you might hope for. It says "...Affected platforms include (but are not limited to)..." followed by a list of Intel platforms.

The Intel list does not include anything more recent than Z590. Checking on a Gigabyte Z590 model shows a BIOS update dated June 10 2025 with this wording "...This BIOS update addresses a potential security issue and is highly recommended for all users. Please update promptly to ensure continued system security.". The previous BIOS update for this particular board was December 19 2023 suggesting this issue has been around for a while.

Nothing yet to indicate it's not specific to intel supporting boards.
May spawn [discovery of] future vulnerabilities on AMD platforms, but if it was already discovered with these specific set, they would have already patched them and added them to the announcement.

 

[Onasi]

@Shihab
I wasn’t talking about the boards/chipsets themselves, but about UEFI versions. Since the security issue happened on the code AM released in early 2025, wouldn’t it mean that people with those boards who HAVE NOT updated the UEFI are fine?

 

[pressing on]

@Shihab
I wasn’t talking about the boards/chipsets themselves, but about UEFI versions. Since the security issue happened on the code AM released in early 2025, wouldn’t it mean that people with those boards who HAVE NOT updated the UEFI are fine?

I checked one of the affected Gigabyte boards and the June 2025 BIOS update was replacing a previous BIOS dating back to 2023. If you have an Intel Gigabyte board check what the latest BIOS update is, and if it is fixing security issues you are strongly advised to update.

 

[ncrs]

@AleksandarK: you should probably add the official Gigabyte announcement - https://www.gigabyte.com/Support/Security/2302 specifying it's for older Intel boards.

 

[Shihab]

@Shihab
I wasn’t talking about the boards/chipsets themselves, but about UEFI versions. Since the security issue happened on the code AM released in early 2025, wouldn’t it mean that people with those boards who HAVE NOT updated the UEFI are fine?

Ah!
Yeah, I think that's a misinterpretation in the op. What happened earlier this year -from what I gather from other articles- is American Megtrends providing the patch to the OEMs, not introducing the bugs themselves.

I think the timeline is made unnecessarily vague by the combination of disclosure practices; typical, sh1tty, security-related communication; and, apparently, an NDA by the UEFI's oem.

 

[thesmokingman]

They ain't GigaFAIL for nothing!

 

[lexluthermiester]

Could this not be solved by disabling the SMM? Or does Gigabyte allow for that option?

 

[wNotyarD]

I must have hit the jackpot with my GB X470 motherboard. It's an absolute tank of a motherboard.
But it seems like since then, they're showing reasons for me not to opt for a new GB motherboard when the time to rebuild comes.

 

[Visible Noise]

Didn’t AMI have another flaw last year?

Edit: There were two.

Secure Boot-neutering PKfail debacle is more prevalent than anyone knew

Keys were marked “DO NOT TRUST.” More devices than previously known used them anyway.

arstechnica.com

Actively exploited vulnerability gives extraordinary control over server fleets

AMI MegaRAC used in servers from AMD, ARM, Fujitsu, Gigabyte, and Qualcomm.

arstechnica.com

 

[R-T-B]

Didn’t AMI have another flaw last year?

Edit: There were two.

Secure Boot-neutering PKfail debacle is more prevalent than anyone knew

Keys were marked “DO NOT TRUST.” More devices than previously known used them anyway.

arstechnica.com

Actively exploited vulnerability gives extraordinary control over server fleets

AMI MegaRAC used in servers from AMD, ARM, Fujitsu, Gigabyte, and Qualcomm.

arstechnica.com

Yeah, AMI is virtually all custom boards reference bios/UEFI, so they are a hot target. Half the time its just board vendors literally lazily using reference code/keys marked "DO NOT USE."

Could this not be solved by disabling the SMM? Or does Gigabyte allow for that option?

I don't think that's really been an exposed option on modern boards for some time. The most you can do is alter it's roles, but it's always there.

 

[DeathtoGnomes]

This says it all. Who do you trust with your computer?

An attacker with administrator privileges, whether local or remote, could

 

[Visible Noise]

I don't think that's really been an exposed option on modern boards for some time. The most you can do is alter it's roles, but it's always there.

I think I’ve read the US government disables it, although that could be specific board models that are specialized for government purchases.

 

[R-T-B]

I think I’ve read the US government disables it, although that could be specific board models that are specialized for government purchases.

You are thinking of the Intel ME HAP bit. Fun fact, you are speaking to one of the researchers involved in its discovery. I used to produce modded bios images for common boards with it toggled on (ME disabled), but as time is money, I don't anymore.

My history with that is well documented on these forums.

Intel ME / AMD PSP are actually a layer deeper than SMM, and yes, it's a horrible setup ripe for persistent exploitation.

 

[lexluthermiester]

This says it all. Who do you trust with your computer?

Correct answer? No one.

I think I’ve read the US government disables it, although that could be specific board models that are specialized for government purchases.

That's what I was thinking, thus my question.

I read up on this. The motherboard makers have to open the option to enable/disable up to the user in the UEFI for it to show up. Seems Gigabyte hasn't, but MSI seems to have.
A whole lotta "iffy" going on with this crap..

Oh and surprise, surprise, TPM and SecureBoot do nothing to get in the way of an attack..

 

[trsttte]

For all the comments saying gigaFAIL, they at least patched some/most/all boards even with this being identified only in 4+ year old boards

I have no particular love for gigabyte but I'd call this a gigaWin to be honest

 

[Tomorrow]

gigaBUTT strikes again ROFL
Welp at least they're not exploding...yet

They ain't GigaFAIL for nothing!

These bugs existed regardless of Gigabyte's actions, or in this case inaction's:

All four bugs originate in American Megatrends reference code that was quietly shared with OEM partners under non‑disclosure agreements earlier this year. Although Gigabyte customizes that base firmware, it did not pass along the necessary fixes to end users.

Gigabyte's fault was not doing it's due diligence. At least they fixed it now.