CVE-2025-7027

A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control both the read and write addresses used by the CommandRcx1 function. The write target is derived from an unvalidated UEFI NVRAM variable (SetupXtuBufferAddress), while the write content is read from an attacker-controlled pointer based on the RBX register. This dual-pointer dereference enables arbitrary memory writes within System Management RAM (SMRAM), leading to potential SMM privilege escalation and firmware compromise.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.5 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://kb.cert.org/vuls/id/746790
https://www.binarly.io/advisories/brly-2025-009
https://www.gigabyte.com/Support/Security
https://www.kb.cert.org/vuls/id/746790

Configurations

No configuration.

History

03 Nov 2025, 20:19

Type	Values Removed	Values Added
References		() https://www.kb.cert.org/vuls/id/746790 -

15 Jul 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-11 16:15

Updated : 2025-11-03 20:19

NVD link : CVE-2025-7027

Mitre link : CVE-2025-7027

CVE.ORG link : CVE-2025-7027

JSON object : View

Products Affected

No product.

CWE

No CWE.

8.2 /10