CVE-2025-7028

A vulnerability in the Software SMI handler (SwSmiInputValue 0x20) allows a local attacker to supply a crafted pointer (FuncBlock) through RBX and RCX register values. This pointer is passed unchecked into multiple flash management functions (ReadFlash, WriteFlash, EraseFlash, and GetFlashInfo) that dereference both the structure and its nested members, such as BufAddr. This enables arbitrary read/write access to System Management RAM (SMRAM), allowing an attacker to corrupt firmware memory, exfiltrate SMRAM content via flash, or install persistent implants.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://kb.cert.org/vuls/id/746790
https://www.binarly.io/advisories/brly-dva-2025-010
https://www.gigabyte.com/Support/Security
https://www.kb.cert.org/vuls/id/746790

Configurations

No configuration.

History

03 Nov 2025, 20:19

Type	Values Removed	Values Added
References		() https://www.kb.cert.org/vuls/id/746790 -

15 Jul 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-11 16:15

Updated : 2025-11-03 20:19

NVD link : CVE-2025-7028

Mitre link : CVE-2025-7028

CVE.ORG link : CVE-2025-7028

JSON object : View

Products Affected

No product.

CWE

No CWE.

{"id": "CVE-2025-7028", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-07-11T16:15:27.143", "references": [{"url": "https://kb.cert.org/vuls/id/746790", "source": "cret@cert.org"}, {"url": "https://www.binarly.io/advisories/brly-dva-2025-010", "source": "cret@cert.org"}, {"url": "https://www.gigabyte.com/Support/Security", "source": "cret@cert.org"}, {"url": "https://www.kb.cert.org/vuls/id/746790", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "A vulnerability in the Software SMI handler (SwSmiInputValue 0x20) allows a local attacker to supply a crafted pointer (FuncBlock) through RBX and RCX register values. This pointer is passed unchecked into multiple flash management functions (ReadFlash, WriteFlash, EraseFlash, and GetFlashInfo) that dereference both the structure and its nested members, such as BufAddr. This enables arbitrary read/write access to System Management RAM (SMRAM), allowing an attacker to corrupt firmware memory, exfiltrate SMRAM content via flash, or install persistent implants."}, {"lang": "es", "value": "Una vulnerabilidad en el controlador Software SMI (SwSmiInputValue 0x20) permite a un atacante local proporcionar un puntero manipulado (FuncBlock) a trav\u00e9s de los valores de los registros RBX y RCX. Este puntero se pasa sin control a m\u00faltiples funciones de gesti\u00f3n de memoria flash (ReadFlash, WriteFlash, EraseFlash y GetFlashInfo) que desreferencian tanto la estructura como sus miembros anidados, como BufAddr. Esto permite acceso arbitrario de lectura/escritura a la RAM de gesti\u00f3n del sistema (SMRAM), lo que permite a un atacante corromper la memoria del firmware, extraer contenido de la SMRAM a trav\u00e9s de la memoria flash o instalar implantes persistentes."}], "lastModified": "2025-11-03T20:19:20.407", "sourceIdentifier": "cret@cert.org"}