ESET researchers have identified a critical vulnerability that directly compromises UEFI Secure Boot. This flaw permits the execution of untrusted code during system startup, potentially enabling attackers to deploy malicious UEFI bootkits, such as Bootkitty or BlackLotus, even when Secure Boot is active.
The vulnerability originates from a custom PE (Portable Executable) loader (reloader.efi) used in certain UEFI applications that are loaded from disk, which bypasses standard UEFI functions like LoadImage and StartImage. This oversight allows the loading of any UEFI binary, including unsigned ones, from a specially crafted file named “cloak.dat” during system boot, irrespective of Secure Boot status.
The affected UEFI applications are integral to several real-time system recovery software suites developed by companies including Howyar Technologies Inc., Greenware Technologies, Radix Technologies Ltd., SANFONG Inc., Wasay Software Technology Inc., Computer Education System Inc., and Signal Computer GmbH.
Microsoft revoked the vulnerable versions of the reloader.efi binary (added to dbx database) in its January 14, 2025, patch update. Users are strongly advised to update their systems promptly to mitigate potential risks associated with this vulnerability.
Reference: CVE-2024-7344
