In recent years, a series of critical security lapses within the firmware supply chain have exposed millions of devices to pre-operating system (pre-OS) threats, undermining foundational computer security. Between 2022 and 2025, incidents involving leaked cryptographic keys and mismanagement of signing certificates have enabled attackers to bypass UEFI Secure Boot and other firmware protection mechanisms, gaining control of systems before the operating system loads.
Recurring Supply Chain Failures
The period from 2022 to 2025 has been marked by several significant security incidents:
– Expired Certificates in Intel’s Platform Properties Assessment Module (PPAM): The use of expired certificates in Intel’s PPAM has raised concerns about the integrity of firmware validation processes.
– Data Breaches Exposing Boot Guard Private Keys: Major data breaches have led to the exposure of Boot Guard private keys from manufacturers such as Lenovo, Supermicro, MSI, and Clevo. These breaches have compromised the security of numerous devices, allowing unauthorized firmware modifications.
– Deployment of Test Keys in Production Environments: The widespread use of test keys in production firmware has created vulnerabilities that attackers can exploit to bypass security mechanisms.
These incidents highlight systemic failures in cryptographic key management across the UEFI ecosystem. Firmware-level compromises are particularly severe because they can survive operating system reinstallations and remain undetected by conventional security tools, providing persistent access for sophisticated threat actors.
The PKfail Epidemic
One of the most widespread issues was the PKfail vulnerability discovered in 2024, affecting approximately 10% of all firmware images analyzed by security researchers. This vulnerability stemmed from the inclusion of test Platform Keys (PKs) in production firmware, including keys clearly labeled with warnings such as DO NOT TRUST – AMI Test PK.
The severity of this issue is highlighted by an excerpt from one such certificate found in production firmware:
“`
Version 3 (0x2)
Serial Number:
55:fb:ef:87:81:23:00:84:47:17:0b:b3:cd:87:3a:f4
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=DO NOT TRUST – AMI Test PK
Validity
Not Before: Nov 8 23:32:53 2017 GMT
Not After : Nov 8 23:32:52 2021 GMT
“`
The problem extended beyond AMI-based devices, with similar test keys discovered across multiple manufacturers’ products. Analysis of firmware images across different years revealed a troubling trend: the percentage of affected devices was steadily increasing until the public disclosure in July 2024, after which it experienced a sharp decline.
Recent Vulnerabilities and Ongoing Risks
While progress has been made in addressing some issues, other serious vulnerabilities continue to emerge. For instance, researchers discovered a memory corruption vulnerability in a Microsoft-signed UEFI module (CVE-2025-3052), demonstrating that the ecosystem remains vulnerable to new threats.
Implications for the Industry
The interconnected nature of the firmware supply chain amplifies these security risks. When one vendor’s keys are compromised, the impact frequently extends beyond their own products to affect devices from multiple manufacturers. This cross-contamination effect was particularly evident in the aftermath of the MSI breach in 2023, where leaked keys affected devices from multiple brands.
Recommendations for Mitigation
To mitigate these risks, it is essential for manufacturers and stakeholders to:
– Implement Robust Key Management Practices: Ensure that cryptographic keys are securely generated, stored, and managed throughout their lifecycle.
– Regularly Audit and Update Firmware: Conduct regular audits of firmware to identify and address vulnerabilities promptly.
– Enhance Supply Chain Security: Strengthen security measures across the supply chain to prevent unauthorized access and data breaches.
– Educate and Train Personnel: Provide ongoing education and training for personnel involved in firmware development and management to stay abreast of emerging threats and best practices.
By addressing these areas, the industry can work towards a more secure firmware ecosystem, reducing the risk of pre-OS threats and enhancing overall cybersecurity.
