Eclypsium Researchers Find UEFI Weakness in Framework Laptops and Desktops

Pooja Tikekar (@PoojaTikekar) •
October 15, 2025    

When 'Secure Boot' Doesn't Mean 'Secure'
Image: Shutterstock

Roughly 200,000 laptops and desktops made by modular sensation Framework contain a firmware vulnerability allowing attackers to disable Secure Boot and run unsigned code, say security researchers.

See Also: Agentic Commerce: The Technology Shaping the Future of Payments

Framework over roughly two decades has established itself as a darling of computer enthusiasts who want to design, repair and extend their laptops. But like practically every other manufacturer, it relies on the Unified Extensible Firmware Interface firmware standard for hardware initialization before the Windows or Linux operating system kicks in.

Secure Boot treats all Microsoft-signed binaries as trusted and such components can execute even on systems from original equipment manufacturers and independent BIOS vendors. “This trust model works beautifully – until it doesn’t,” wrote researchers at hardware security firm Eclypsium.

When they probed UEFI shells distributed by Framework to some laptop models, they found what amounts to a backdoor embedded into them. Specifically, UEFI shells that accept the “memory modify” diagnostic command mm, providing direct read and write access to system memory.

Memory modify can be a legitimate diagnostic tool, but when bundled into UEFI shells without an owners’ knowledge, the effect is that systems that appear to have a secure boot process “in reality, do not.”

Researchers exploited the mm command to neutralize a global variable called gSecurity2, which points to the security architectural protocol that validates signatures during the UEFI load sequence. By turning the pointer to null, they disabled signature validation and loaded arbitrary payloads, all while the system continued to report Secure Boot as active.

Framework has acknowledged the issue and is rolling out emergency updates. This includes removing memory primitive, the memory management command from future shell versions and revoking the certificate for the UEFI shells in question.

“Those that continue to operate under the assumption that ‘signed equals safe’ may find themselves on the wrong side of a fundamental shift in the threat landscape,” Eclypsium asserted.

Boot level vulnerabilities aren’t theoretical and have become more common over roughly the past decade. Russian military intelligence hackers GRU Unit 26165 – commonly tracked as APT 28, Forest Blizzard and Fancy Bear – in 2017 used an UEFI rootkit dubbed LoJax by Eset against government agencies in the Balkans and Central and Eastern Europe.

Eset in September said it spotted samples of malware uploaded to VirusTotal that could allow attackers to bypass UEFI Secure Boot and install a malicious bootloader. It christened the malware HybridPetya because of similarities with NotPetya (see: HybridPetya Crypto-Locker Outsmarts UEFI Secure Boot).

HybridPetya doesn’t appear to have been deployed in the wild, but the fact it exists at all suggests that hackers are gravitating to UEFI, Eclypsium said. “This ability to persist below the operating system while maintaining the facade of a ‘secure’ boot process marks a dangerous escalation in attacker sophistication.”