New UEFI Vulnerability Allows Pre-Boot Attacks on Motherboards

Recent findings have revealed a critical security flaw in the UEFI firmware implementation of certain motherboards from popular manufacturers like ASUS, Gigabyte, MSI, and ASRock. This vulnerability exposes these systems to direct memory access (DMA) attacks, which can circumvent early-boot memory protections.

Identified by multiple CVE numbers (CVE-2025-11901, CVE-2025‑14302, CVE-2025-14303, and CVE-2025-14304), the issue stems from variations in how each vendor has implemented their firmware.

DMA, a hardware feature that enables devices like graphics cards and Thunderbolt devices to access RAM directly without CPU involvement, poses a significant risk when exploited maliciously.

Understanding the Impact of IOMMU

One key defense mechanism against DMA attacks is the Input-Output Memory Management Unit (IOMMU), a hardware-enforced memory firewall that regulates which memory regions each device can access. During the early boot phase, when UEFI firmware initializes, IOMMU must activate to prevent DMA attacks from occurring.

However, if IOMMU fails to initialize correctly, there is a window of vulnerability where attackers can manipulate memory regions through physical access, bypassing any safeguards.

Valorant and System Vulnerability

Riot Games researchers Nick Peterson and Mohamed Al-Sharifi were the ones who discovered this critical UEFI vulnerability. They found that the firmware erroneously indicates that DMA protection is active, even when IOMMU has not initialized properly, leaving the system open to exploitation.

While the focus of the discovery was on the gaming industry, particularly on cheat detection in games like Valorant, the implications extend to potential attacks that could compromise the entire operating system.

On systems where the vulnerability exists, Riot Games’ Vanguard system, designed to prevent cheats in games, may prevent titles like Valorant from launching due to the compromised security.

Despite the initial focus on gaming, the vulnerability poses a broader security risk, allowing malicious code to compromise the entire operating system through a DMA attack.

Exploiting this vulnerability requires physical access, with a malicious PCIe device connected to execute a DMA attack before the OS boots. During this critical phase, the rogue device can freely read or manipulate RAM.

The Carnegie Mellon CERT Coordination Center (CERT/CC) highlighted the gap in security, where firmware incorrectly asserts the presence of DMA protections while failing to properly configure and enable IOMMU during the early boot sequence hand-off.

As a result, a malicious DMA-capable PCIe device could read or modify system memory before the OS implements any safeguards, leaving users unaware of the breach.

Widespread Impact and Mitigation

CERT/CC confirmed that the vulnerability affects select motherboard models from ASRock, ASUS, Gigabyte, and MSI, with the potential for other manufacturers to be impacted as well. Specific affected models are detailed in security bulletins and firmware updates from the respective vendors.

Users are strongly advised to check for available firmware updates and apply them promptly after backing up essential data to mitigate the risk posed by this vulnerability.

Riot Games has updated Vanguard to address the UEFI vulnerability, with the system now blocking Valorant from launching on vulnerable systems and providing users with guidance on resolving the security issue.

“Our VAN:Restriction system is Vanguard’s way of telling you we cannot guarantee system integrity due to the outlined disabled security features,” Riot Games researchers explain.

Conclusion

The discovery of this UEFI vulnerability underscores the importance of timely firmware updates and proactive security measures to safeguard systems against potential threats. By staying informed and taking necessary precautions, users can minimize the risk of exploitation and protect their devices from unauthorized access.