Martin Smolar

**Name of the Vulnerable Software and Affected Versions** Spyrus WTGCreator version 4.2 Baramundi Management Suite versions prior to 2024R1 WhiteCanyon WipeDrive versions 8.0.0 through 8.1.3 Finland Matriculation Exam Abitti 1 version 1.0.0 NTC IT Rosa versions R9 and R10 PC-Doctor Service Center versions 15 and 16 **Description** Multiple Microsoft-signed UEFI SHIM bootloaders are subject to a Secure Boot bypass due to a lack of enforcement and validation of the Secure Boot Advanced Targeting (SBAT), a mechanism used to revoke vulnerable bootloaders. An attacker with administrative privileges or the ability to modify the boot process can utilize these bootloaders to circumvent Secure Boot protections and execute arbitrary code before the operating system loads. **Recommendations** Apply the specific UEFI DBX update to block the vulnerable bootloaders for all affected versions.

**Name of the Vulnerable Software and Affected Versions** Howyar UEFI Application "Reloader" (32-bit and 64-bit) versions prior to January 2025 **Description** A vulnerability exists in the Howyar UEFI Application "Reloader" that allows for the execution of unsigned software in a hardcoded path. This flaw, identified as CVE-2024-7344, bypasses UEFI Secure Boot protections, potentially enabling the installation of malicious bootkits. A new ransomware strain, HybridPetya, has been observed exploiting this vulnerability to gain persistence and encrypt systems. HybridPetya mimics the behavior of Petya/NotPetya ransomware, encrypting the NTFS Master File Table (MFT) and demanding a ransom payment. While HybridPetya has not yet been widely deployed in active attacks, its capabilities suggest a significant threat potential. The vulnerability resides in a UEFI application signed by Microsoft, impacting a range of systems. The exploitation of this vulnerability allows attackers to gain control at the boot level, potentially bypassing operating system-level security measures. **Recommendations** Apply the January 2025 UEFI revocation database update. Check for the presence of the 'cloak.dat' file. Rotate Secure Boot keys if necessary. Apply updates for CVE-2024-7344. Ensure Secure Boot is enabled and properly configured. Monitor firmware integrity using tools like UEFI Scanner or CHIPSEC. Maintain offline backups of both data and firmware configurations.

**Name of the Vulnerable Software and Affected Versions** Windows (affected versions not specified) **Description** A security-feature bypass issue exists in the Secure Boot implementation of Windows operating systems. The problem is related to errors in accessing debugging functions during the boot process, which can allow an attacker to bypass existing security restrictions. Specifically, a technique known as bitpixie can be used to trigger a boot error and read the BitLocker decryption key from memory because the bootloader fails to clear it. Attackers can bypass Secure Boot protections by downgrading the bootloader to a vulnerable version to exploit this memory reading flaw. This can be achieved without physical disassembly of the device, for example, by using a LAN cable to simulate a TFTP PXE server to deliver a downgraded bootloader. **Recommendations** Install the July 8, 2025 security updates for all supported versions of Windows. After installing the updates, follow the steps in KB5025885 to manually enable the mitigations for Windows Boot Manager revocations. As a temporary workaround, suspend BitLocker and disable Secure Boot in the BIOS/UEFI settings.

**Name of the Vulnerable Software and Affected Versions** Acer Notebook devices (affected versions not specified) **Description** The issue concerns a vulnerability in the HQSwSmiDxe DXE driver that may allow an attacker with elevated privileges to modify UEFI Secure Boot settings by changing an NVRAM variable. This could potentially be exploited to disable Secure Boot protection, allowing attackers to intercept the OS boot process, load unsigned bootloaders, and deploy malicious payloads with system privileges. The vulnerability can be exploited in low-complexity attacks without requiring user interaction. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. However, Acer recommends updating the BIOS to the latest version. As an alternative, clients can manually install the update on vulnerable systems.