Security researchers have discovered four critical vulnerabilities in the firmware of hundreds of Gigabyte motherboards that could allow attackers to silently install malware that survives operating system reinstalls and evades traditional security tools.
The four high-severity vulnerabilities were discovered by researchers at firmware security company Binarly, which worked with Carnegie Mellon Universityโs CERT Coordination Center (CERT/CC) to disclose the issue. These flaws affect the Unified Extensible Firmware Interface (UEFI) firmware’s System Management Mode (SMM)โan ultra-privileged part of the CPU designed for handling low-level system operations.
Exploiting these bugs allows attackers with admin access to write to protected memory, enabling stealthy “bootkits” that remain active even after the operating system is reinstalled or the hard drive is replaced.
Over 240 Motherboard Models Affected
According to Binarly, more than 240 Gigabyte motherboard modelsโacross consumer, gaming, and small business product (SMB) class boards โare affected. Many of these use older Intel chipsets like the H110, B150, and X150/X170.
The four vulnerabilities, each rated with a severity score of 8.2 on the CVSS (classified as “highโ), stem from flaws in System Management Interrupt (SMI) handlers. These bugs enable unauthorized access to System Management RAM (SMRAM), potentially allowing attackers to escalate privileges and install malware that remains persistent.
The impacted vulnerabilities are:
CVE-2025-7029: A flaw in the Software SMI handler (SwSmiInputValue 0xB2) that allows attackers to manipulate the RBX register, which points to critical structures (OcHeader, OcData) used in power and thermal configuration. This can lead to arbitrary writes into SMRAM and result in SMM privilege escalation.
CVE?2025?7028: A flaw in the SwSmiInputValue 0x20 handler that allows attackers to pass arbitrary pointers via RBX/RCX into flash-management functions (ReadFlash, WriteFlash, EraseFlash, GetFlashInfo), enabling arbitrary read/write access to SMRAM. This enables full SMM-level compromise, including persistent firmware implants.
CVE?2025?7027: A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) that allows a local attacker to control both the target and content of memory writes by exploiting unvalidated pointers, including one from a UEFI NVRAM variable and one from the RBX register. This enables arbitrary writes to SMRAM, potentially leading to SMM privilege escalation and firmware compromise.
CVE?2025?7026: A vulnerability in the Software SMI handler that lets a local attacker direct the RBX register into SMI flash routines, enabling SMM privilege escalation and long-term firmware compromise.
How Did This Happen?
The original supplier of the firmware code is American Megatrends Inc. (AMI), one of the most widely used firmware providers globally. However, the firmware is customized and integrated by Gigabyte.
According to CERT/CC, AMI had quietly patched the same vulnerable code upstream and notified its OEM customers under strict non-disclosure agreements. However, it appears that Gigabyte either missed or failed to integrate those fixes and reintroduced them in downstream Gigabyte builds.
AMI quietly patched the issues previously and notified its OEM customers under strict non-disclosure agreements. However, it appears that Gigabyte either missed or failed to integrate those fixes into its own firmware releases.
CERT/CC says it informed Gigabyte about the vulnerabilities in mid-April, which was confirmed by the company in June.
What Should You Do?
Gigabyte has started releasing BIOS updates through its support website to address the flaws. Affected users are strongly advised to:
Check Gigabyteโs support page for your motherboard model and see if the latest firmware update is available.
Install updates promptly, particularly on systems that could be accessed locally or remotely by users with admin privileges. Even if you think that you are not at risk, patching helps prevent these potential attacks.
Stay alert for updates from other OEMs, as AMI firmware is widely used across different hardware manufacturers.
