A recently discovered security flaw affecting UEFI (Unified Extensible Firmware Interface) systems has been successfully patched. This vulnerability could have allowed adversaries to bypass the Secure Boot feature, raising significant concerns for system security.
Labeled with the CVE identifier CVE-2024-7344 and given a CVSS score of 6.7, the vulnerability is traced to a UEFI application signed by Microsoft’s “Microsoft Corporation UEFI CA 2011” third-party certificate. This revelation stems from a report by ESET, which also noted its findings to The Hacker News.
Exploiting this flaw would enable an attacker to execute untrusted code during the system’s boot process, creating opportunities to install malicious UEFI bootkits. Notably, this can occur even on systems that have Secure Boot enabled, regardless of the installed operating system.
Secure Boot serves as a critical firmware security standard aimed at preventing unauthorized code from being executed at startup by ensuring that only OEM-trusted software is used during booting. This mechanism relies on digital signatures to verify the authenticity, source, and integrity of the code involved in the startup process.
The UEFI application in question is part of several recovery software packages developed by companies including Howyar Technologies and Radix Technologies, among others. Specific versions of products from these vendors have been affected, requiring users to update to secure versions to mitigate risk.
According to ESET researcher Martin Smolár, the vulnerability arises from the use of a non-standard PE loader. This permits the loading of potentially malicious UEFI binaries, even unsigned ones, from a specially modified file during system startup, effectively undermining the Secure Boot protections.
An attacker leveraging CVE-2024-7344 can thereby bypass Secure Boot defenses and unleash unsigned code well before the operating system’s launch, capturing persistent access to the targeted system. Such early boot execution could lead to the implementation of malicious kernel extensions that remain operational through reboots and OS reinstalls, severely complicating detection by conventional security measures.
Exploitation could further widen if attackers use their own versions of the vulnerable “reloader.efi” binary on any UEFI system that recognizes the Microsoft third-party UEFI certificate. However, deploying these malicious files to the EFI system partition requires elevated privileges, both on Windows and Linux platforms.
Following responsible disclosure to the CERT Coordination Center (CERT/CC) in June 2024, affected vendors promptly updated their software. Microsoft subsequently revoked outdated binaries on January 14, 2025, as part of its regular security patch updates.
Beyond revoking UEFI components, measures such as managing access to files on the EFI system partition, implementing Secure Boot customization, and utilizing remote attestation with a Trusted Platform Module (TPM) serve as viable strategies to thwart exploitation from unknown vulnerable UEFI bootloaders.
The increasing incidence of UEFI vulnerabilities underscores the necessity for vigilance, as well as the importance of timely patching and revocation of faulty binaries. Cybersecurity experts have expressed concern over the potential obscurity of such vulnerable signed UEFI binaries among third-party vendors, raising critical questions about overall system security in an evolving threat landscape.
By understanding the associated tactics detailed in the MITRE ATT&CK Matrix—such as initial access and persistence—business owners can better grasp the scope of these threats and proactively enhance their security protocols.
