CVE-2025-4275

Name of the Vulnerable Software and Affected Versions Insyde H2O UEFI firmware (affected versions not specified)

Description A flaw exists in the digital signature verification process within Insyde H2O UEFI firmware. This issue does not properly validate variable attributes, allowing an attacker to bypass signature verification by creating a non-authenticated NVRAM variable. Successful exploitation could allow an attacker to execute arbitrary signed UEFI code and bypass Secure Boot. The vulnerability, named Hydroph0bia, affects devices including laptops, embedded systems, medical devices, car ECUs, and systems used in IoT, SCADA, and critical infrastructure. The vulnerability allows for undetectable malware and rootkit injection. The vulnerability can be exploited without user interaction and with Secure Boot and firmware passwords enabled. The vulnerability involves the manipulation of the IhisiParamBuffer variable.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.