Black Hat USA 2025 | Booting into Breaches: Hunting Windows SecureBoot's Remote Attack Surfaces

SecureBoot, designed to protect against firmware-level tampering, has long been dismissed as a "local-only" attack surface. This research shatters that assumption, exposing systemic flaws that enable remote exploitation of SecureBoot—culminating in Pre-Auth RCE on fully patched systems. With 31 CVEs discovered and fixed in Microsoft's SecureBoot implementation, we reveal how attackers can weaponize bootloader components (network stacks, BCD registries, filesystems) to bypass critical security guarantees. We dissect novel attack surfaces in Windows' UEFI environment, including an overlooked network protocol parser and a single 100-line BCD registry function harboring 6 vulnerabilities. Our custom debugging and fuzzing frameworks can assist vulnerability hunting in the UEFI environment efficiently. Beyond the bootloader, we demonstrate how kernel and userland components inherit these weaknesses, including a RCE demo on a SecureBoot-enforced Hyper-V host. By chaining logical flaws in SecureBoot's trust model, we illustrate how attackers can pivot from firmware to OS-level control without physical access. We conclude with actionable mitigations and a critical call to re-evaluate firmware security paradigms in an era where remote exploitation nullifies the "local access" defense. By: Jietao Yang | Security Researcher, Cyber Kunlun Lab Presentation Materials Available at: https://ift.tt/z6oEmWw

source https://www.youtube.com/watch?v=p4EXzE0dvWE