Critical 2025 UEFI Flaw Enables Pre-Boot DMA Attacks on Leading Motherboards
Executive Summary
In December 2025, researchers from Riot Games identified a critical UEFI firmware vulnerability impacting motherboards from ASUS, Gigabyte, MSI, and ASRock. The flaw, tracked as CVE-2025-11901, CVE-2025‑14302, CVE-2025-14303, and CVE-2025-14304, allows Direct Memory Access (DMA) attacks during the pre-boot phase by bypassing IOMMU protections. Threat actors with physical access can attach malicious PCIe devices to read or alter system memory before the operating system loads, making traditional endpoint protections ineffective. The vulnerability was confirmed by multiple security advisories and coordinated with hardware vendors for urgent firmware updates.
This incident highlights the increasing sophistication of firmware-level attacks that can evade operating system and security tool visibility. As hardware supply chains diversify and attackers target pre-boot processes, organizations face heightened risks in both enterprise and consumer hardware ecosystems.
Why This Matters Now
This vulnerability exposes a fundamental gap in hardware security, allowing attackers to compromise systems at the lowest level before OS defenses activate. With firmware attacks on the rise and patching requiring vendor-supplied updates, immediate action is crucial to prevent stealthy, undetectable attacks across numerous deployed systems.
Attack Path Analysis
The attacker physically attaches a malicious DMA-capable PCIe device to the target system before OS boot, exploiting a UEFI firmware flaw to gain unrestricted access to system memory. Without early hardware protections, the attacker escalates to kernel-level privileges by injecting or modifying code in RAM. They then position malware or modify bootloaders to achieve persistence and potentially move laterally to connected resources once the OS loads. The attacker establishes covert command and control, typically remaining undetected due to a lack of early security telemetry, and may exfiltrate sensitive data from system memory or harvest credentials. Finally, the attacker can disrupt system integrity, maintain persistence through firmware tampering, or enable additional malicious payloads, leading to significant business and confidentiality impacts.
Kill Chain Progression
Initial Compromise
Description
Attacker physically connects a rogue PCIe device and leverages a UEFI firmware vulnerability to perform a pre-boot DMA attack, gaining direct access to system memory before OS-level protections engage.
Related CVEs
CVE-2025-11901
CVSS 7An uncontrolled resource consumption vulnerability in certain ASUS motherboards allows physical attackers to exploit DMA, potentially leading to unauthorized memory access.
Affected Products:
ASUS Motherboards – Intel B460, B560, B660, B760, H410, H510, H610, H470, Z590, Z690, Z790, W480, W680
Exploit Status:
no public exploitCVE-2025-14302
CVSS 6.8A vulnerability in GIGABYTE UEFI firmware prevents proper IOMMU initialization, exposing systems to early-boot DMA attacks.
Affected Products:
GIGABYTE Motherboards – Intel 600/700/800 series, AMD 600/800 series, TRX50
Exploit Status:
no public exploitCVE-2025-14303
CVSS 7MSI motherboards have a protection mechanism failure due to improper IOMMU configuration, allowing unauthenticated physical attackers to perform DMA attacks.
Affected Products:
MSI Motherboards – Specific models (refer to MSI advisories)
Exploit Status:
no public exploitCVE-2025-14304
CVSS 7ASRock motherboards have a protection mechanism failure due to improper IOMMU configuration, allowing unauthenticated physical attackers to perform DMA attacks.
Affected Products:
ASRock Motherboards – Specific models (refer to ASRock advisories)
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Techniques mapped from early boot firmware exploitation, DMA attacks, and direct hardware access risk; full STIX/TAXII expansion may follow.
Pre-OS Boot: System Firmware
Hardware Additions
Rootkit
Valid Accounts
Modify Authentication Process: Domain Controller Authentication
Firmware Corruption
Direct Volume Access
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Restrict Physical Access to Devices
Control ID: 7.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT System Security
Control ID: Art. 9(2)
CISA Zero Trust Maturity Model 2.0 – Enforce Device Integrity Checks
Control ID: Device Pillar - Asset Security
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Hardware
UEFI firmware vulnerabilities in ASUS, Gigabyte, MSI, ASRock motherboards enable pre-boot DMA attacks, compromising hardware integrity before OS-level protections activate.
Computer Games
Riot Games' Vanguard anti-cheat system blocks Valorant on vulnerable systems, preventing early cheat loading and maintaining competitive gaming integrity through kernel-level protection.
Computer/Network Security
Firmware-level DMA bypass attacks evade traditional security controls, requiring enhanced IOMMU configurations and zero-trust architectures for pre-boot system protection.
Entertainment/Movie Production
Gaming industry anti-cheat systems like Vanguard demonstrate vulnerability to early-boot exploits, impacting digital entertainment platform security and content protection mechanisms.
Sources
- New UEFI flaw enables pre-boot attacks on motherboards from Gigabyte, MSI, ASUS, ASRockhttps://www.bleepingcomputer.com/news/security/new-uefi-flaw-enables-pre-boot-attacks-on-motherboards-from-gigabyte-msi-asus-asrock/Verified
- Vulnerability in UEFI Firmware Modules Prevents IOMMU Initialization on Certain Motherboardshttps://www.gigabyte.com/Support/Security/2338Verified
- NVD - CVE-2025-11901https://nvd.nist.gov/vuln/detail/CVE-2025-11901Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust controls such as microsegmentation, east-west traffic inspection, and egress policy enforcement would have limited post-exploitation movement, reduced unauthorized data access, and detected anomalous outbound behavior even if the initial firmware-based compromise bypassed early system protections. Network-based visibility and inline anomaly detection provide layered defense beyond host firmware flaws.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Network-level policies cannot prevent pre-boot physical DMA attacks, but distributed policy enforcement is positioned for immediate detection post-boot.
Control: Threat Detection & Anomaly Response
Mitigation: Post-boot, behavioral analytics and anomaly detection can identify signs of unauthorized privilege elevation or memory tampering.
Control: Zero Trust Segmentation
Mitigation: Least-privilege segmentation blocks unauthorized east-west traffic from compromised systems.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound policy and FQDN filtering block or alert on suspicious C2 attempts.
Control: Encrypted Traffic (HPE) & East-West Traffic Security
Mitigation: Data exfiltration is restricted or detected through traffic encryption, network monitoring, and anomaly detection.
Centralized monitoring detects unauthorized system/firmware changes impacting cloud workloads.
Impact at a Glance
Affected Business Functions
- System Security
- Data Integrity
- User Privacy
Estimated downtime: N/A
Estimated loss: N/A
Potential unauthorized access to system memory, leading to data breaches and system compromise.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately review and apply all vendor-issued UEFI firmware updates to impacted systems to remediate DMA vulnerabilities.
- • Implement network-level Zero Trust Segmentation to limit workload lateral movement and enforce least-privilege access post-boot.
- • Enable continuous threat detection and anomaly response for cloud and hybrid workloads to identify suspicious privilege changes or process behavior.
- • Enforce egress filtering and outbound policy controls to disrupt potential malware command and control and data exfiltration attempts.
- • Maintain centralized multicloud visibility and control to detect, respond to, and contain post-compromise activities across workloads.
