Critical UEFI Vulnerability Exposes ASRock, ASUS, GIGABYTE, and MSI Motherboards to Early-Boot DMA Attacks
A significant security vulnerability has been identified in certain motherboard models from leading manufacturers such as ASRock, ASUSTeK Computer, GIGABYTE, and MSI. This flaw renders systems susceptible to early-boot direct memory access (DMA) attacks, particularly affecting architectures that implement the Unified Extensible Firmware Interface (UEFI) and input–output memory management unit (IOMMU).
Understanding UEFI and IOMMU:
UEFI serves as the modern firmware interface between a computer’s operating system and its hardware, replacing the older BIOS system. It initializes hardware components and launches the operating system during the boot process. IOMMU, on the other hand, is a memory management unit that connects the I/O bus to the main memory, providing protection against unauthorized memory access by peripheral devices. Together, UEFI and IOMMU are designed to establish a secure foundation, preventing peripherals from performing unauthorized memory accesses and ensuring that DMA-capable devices cannot manipulate or inspect system memory before the operating system is loaded.
The Vulnerability Explained:
Discovered by security researchers Nick Peterson and Mohamed Al-Sharifi of Riot Games, the vulnerability lies in certain UEFI implementations where there is a discrepancy in the DMA protection status. Specifically, while the firmware indicates that DMA protection is active, it fails to properly configure and enable the IOMMU during the critical boot phase. This oversight creates a window of opportunity for malicious DMA-capable Peripheral Component Interconnect Express (PCIe) devices with physical access to read or modify system memory before operating system-level safeguards are established.
The CERT Coordination Center (CERT/CC) highlighted the severity of this issue, stating that attackers could potentially access sensitive data in memory or influence the initial state of the system, thereby undermining the integrity of the boot process.
Potential Impact:
Exploitation of this vulnerability could allow a physically present attacker to inject malicious code during the pre-boot phase on affected systems running unpatched firmware. This means that an attacker could access or alter system memory via DMA transactions long before the operating system kernel and its security features are loaded, effectively bypassing critical security mechanisms.
Affected Systems and CVE Details:
The vulnerabilities that enable a bypass of early-boot memory protection have been cataloged as follows:
– CVE-2025-14304 (CVSS score: 7.0): This protection mechanism failure affects ASRock, ASRock Rack, and ASRock Industrial motherboards utilizing Intel 500, 600, 700, and 800 series chipsets.
– CVE-2025-11901 (CVSS score: 7.0): This vulnerability impacts ASUS motherboards equipped with Intel Z490, W480, B460, H410, Z590, B560, H510, Z690, B660, W680, Z790, B760, and W790 series chipsets.
– CVE-2025-14302 (CVSS score: 7.0): GIGABYTE motherboards using Intel Z890, W880, Q870, B860, H810, Z790, B760, Z690, Q670, B660, H610, W790 series chipsets, as well as AMD X870E, X870, B850, B840, X670, B650, A620, A620A, and TRX50 series chipsets, are affected. Notably, a fix for the TRX50 series is planned for the first quarter of 2026.
– CVE-2025-14303 (CVSS score: 7.0): This flaw affects MSI motherboards that incorporate Intel 600 and 700 series chipsets.
Mitigation and Recommendations:
In response to these vulnerabilities, the affected vendors have begun releasing firmware updates aimed at correcting the IOMMU initialization sequence and enforcing DMA protections throughout the boot process. It is imperative for end users and system administrators to apply these updates promptly to safeguard against potential threats.
CERT/CC emphasizes the importance of timely patching, especially in environments where physical access cannot be fully controlled or relied upon. They note that the IOMMU plays a foundational role in isolation and trust delegation in virtualized and cloud environments, underscoring the critical nature of ensuring correct firmware configuration even on systems not typically used in data centers.
Broader Implications:
This vulnerability highlights the ongoing challenges in securing the boot process of modern computing systems. The ability for an attacker to exploit such a flaw underscores the necessity for continuous vigilance and proactive measures in firmware security. As hardware becomes increasingly complex, ensuring the integrity of the boot process remains a cornerstone of system security.
Conclusion:
The discovery of this UEFI vulnerability serves as a critical reminder of the importance of firmware security in protecting system integrity. Users and administrators are urged to stay informed about firmware updates from their hardware vendors and to implement them without delay. By doing so, they can mitigate the risks associated with early-boot DMA attacks and maintain the security of their systems.
