Critical UEFI Flaw Bypasses All Early-Boot Protections

Researchers have uncovered a vulnerability in the UEFI firmware implementations used on motherboards from several major manufacturers, including ASUS, Gigabyte, MSI, and ASRock. The flaw affects the earliest stage of system boot and enables attacks based on direct memory access, bypassing security mechanisms that are meant to operate before the operating system even begins to load.

The vulnerability has been assigned multiple identifiers—CVE-2025-11901, CVE-2025-14302, CVE-2025-14303, and CVE-2025-14304. This fragmentation reflects differences in how individual vendors implemented the same underlying logic in their firmware. At the core of the issue lies improper initialization of the IOMMU, a hardware mechanism responsible for regulating peripheral devices’ access to system memory.

DMA, or direct memory access, is a standard hardware capability that allows graphics cards, PCIe devices, and interfaces such as Thunderbolt to read from and write to RAM directly, without burdening the CPU. To prevent this capability from becoming a universal attack vector, an IOMMU acts as a kind of hardware firewall between devices and memory, defining which memory regions each component may access. Crucially, this protection must be enabled at the very earliest moment of system startup; otherwise, a physically connected device can gain unrestricted control over RAM.

This is precisely where the vulnerability emerges. The research revealed that on certain systems, UEFI reports DMA protection as enabled even though the IOMMU has not actually been initialized correctly. The result is a false sense of security, while system memory remains fully exposed to reading and modification.

The issue was discovered by Riot Games researchers Nick Peterson and Mohamed Al-Sharifi. They responsibly disclosed their findings and worked in coordination with CERT Taiwan to manage communication with hardware vendors. According to the researchers, the moment a computer powers on is the most privileged phase of system operation: during this window, the machine has unrestricted access to all components and is not yet governed by any operating system. Protective mechanisms only begin to appear after firmware initialization, with the OS loading near the very end of the process.

On vulnerable configurations, the problem is not merely theoretical. Some Riot Games titles, including Valorant, may refuse to launch altogether. This behavior is tied to the Vanguard anti-cheat system, which operates at the kernel level and assumes that no third-party code can establish itself beforehand. If a malicious module loads before protections are activated, it can conceal itself and evade detection—an unacceptable risk from the developer’s perspective.

Although the research was presented through the lens of the gaming industry, the real-world implications extend far beyond it. DMA-based attacks can be used to implant malware, compromise the operating system, or manipulate data before any security controls come into effect. Exploitation requires physical access: an attacker must connect a malicious PCIe device before the boot process completes. Within this brief window, memory can be read or altered without restriction.

An advisory from the CERT Coordination Center at Carnegie Mellon University emphasizes that the firmware formally claims protection is active, yet fails to complete IOMMU configuration at the critical handoff stage. As a result, operating-system-level security tools are rendered powerless—users receive no warnings, permission prompts, or alerts.

CERT/CC has confirmed that the vulnerability affects specific motherboard models from ASRock, ASUS, Gigabyte, and MSI, and it cannot be ruled out that similar logic exists in products from other vendors. Detailed device lists have been published in security advisories, along with corresponding firmware updates. Users are strongly advised to check for available patches and to back up important data before applying them.

Riot Games, for its part, has updated Vanguard so that Valorant now blocks execution on systems where the flaw is detected, displaying a notification explaining the cause. This mechanism, labeled VAN:Restriction, signals that system integrity cannot be guaranteed due to disabled or malfunctioning protections. In essence, the game refuses to trust a computer that may have been compromised before the operating system even loads.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy