CVE-2022-21894

Name of the Vulnerable Software and Affected Versions Microsoft Windows 11 (affected versions not specified)

Description A security feature bypass allows attackers to circumvent Secure Boot, enabling the installation of UEFI bootkits such as BlackLotus. This issue is exploited by deploying vulnerable signed binary files into the EFI system partition, which allows the attacker to register a malicious Machine Owner Key (MOK) in the MokList and NVRAM variables. Once established, the attacker can use legitimate Microsoft-signed firmware to launch a self-signed bootkit. This level of persistence allows the malware to control the operating system boot process and disable security mechanisms including Hypervisor-Protected Code Integrity (HVCI) and BitLocker. The bootkit may also deploy an HTTP loader to communicate with command-and-control servers for executing commands and loading additional payloads. Technical artifacts are often dropped in the EFIMicrosoftBootsystem32 path.

Recommendations Reinstall Windows and use the mokutil utility to remove the registered malicious MOK key. Disable vulnerable UEFI binary files used to bypass Secure Boot. Update the Secure Boot DBX (revocation list) to ensure signed-but-vulnerable bootloaders are blocked. As a temporary mitigation, use fwupdmgr to refresh metadata and upgrade firmware to verify checksums and apply available updates.