Key Findings

• A fundamental vulnerability in the UEFI firmware implementations of certain motherboards from ASRock, ASUS, GIGABYTE, and MSI allows attackers with physical access to bypass operating system security controls.

• The flaw, which is tracked as CVE-2025-14304, CVE-2025-11901, CVE-2025-14302, and CVE-2025-14303, stems from a discrepancy between what the firmware reports and what it actually does in terms of enabling the Input-Output Memory Management Unit (IOMMU).

• Despite indicating that DMA protection is active, the vulnerable UEFI implementations fail to correctly initialize the IOMMU, creating a window of opportunity for a malicious PCIe device to access and manipulate system memory before the operating system and its security features are loaded.

• The vulnerabilities affect a wide range of motherboard models from ASRock, ASUS, GIGABYTE, and MSI that use various Intel and AMD chipsets, with CVSS scores of 7.0 for each flaw.

• Successful exploitation could allow attackers to read sensitive data from memory or inject malicious code, undermining the integrity of the boot process and evading OS-level security controls.

Background

Modern computers rely on the IOMMU, a hardware component, to act as a gatekeeper and prevent peripheral devices from accessing sensitive parts of the system memory without permission. This is a critical security feature that helps protect against direct memory access (DMA) attacks, where a malicious device could potentially read or modify system memory.

However, the newly discovered vulnerability reveals a dangerous discrepancy between what the system reports and what it actually does. Although the firmware indicates that DMA protection is active, it fails to correctly initialize the IOMMU during the "early-boot" phase, leaving the system vulnerable to DMA-based attacks.

Vulnerable Devices

The specific motherboard models affected by this vulnerability are:

• ASRock, ASRockRack, and ASRockInd motherboards using Intel 500, 600, 700, and 800 series chipsets (CVE-2025-14304)

• ASUS motherboards using Intel Z490, W480, B460, H410, Z590, B560, H510, Z690, B660, W680, Z790, B760, and W790 series chipsets (CVE-2025-11901)

• GIGABYTE motherboards using Intel Z890, W880, Q870, B860, H810, Z790, B760, Z690, Q670, B660, H610, W790 series chipsets, and AMD X870E, X870, B850, B840, X670, B650, A620, A620A, and TRX50 series chipsets (CVE-2025-14302)

• MSI motherboards using Intel 600 and 700 series chipsets (CVE-2025-14303)

Exploitation and Impact

During the vulnerable "early-boot" phase, a malicious PCIe device with physical access to the system can bypass the IOMMU protections and read or modify the system memory. This allows attackers to access sensitive data or inject malicious code, effectively undermining the integrity of the boot process and evading operating system-level security controls.

The implications of this vulnerability are particularly severe in environments where physical security cannot be guaranteed, such as public-facing systems or shared infrastructure. Attackers with physical access to the machine can exploit this flaw to enable pre-boot code injection and compromise the system at a level that is invisible to antivirus software or OS-level security measures.

Vendor Response and Mitigation

The vendors affected by this vulnerability have released or are in the process of releasing firmware updates to address the IOMMU initialization issue and enforce DMA protections throughout the boot process.

Administrators are urged to monitor the Vendor Information section for newly published advisories and updated firmware packages, and to apply the patches as soon as they become available. For organizations with high-security requirements, prompt patching and adherence to hardware security best practices are especially important to mitigate the risk of pre-boot DMA attacks.

Sources

• https://securityonline.info/early-boot-attack-uefi-flaw-in-asrock-asus-msi-boards-lets-hackers-bypass-os-security-via-pcie/

• https://thehackernews.com/2025/12/new-uefi-flaw-enables-early-boot-dma.html

• https://x.com/the_yellow_fall/status/2001831105910145307