Researchers have identified a vulnerability affecting motherboards from several major vendors that allows attackers with physical access to compromise systems during the earliest stages of boot. The flaw stems from incorrect UEFI firmware behavior that misrepresents the state of DMA protections before the operating system loads.

While exploitation requires hands-on access and specialized hardware, the issue undermines foundational trust assumptions in the boot process and highlights persistent risks in firmware-level security.

Modern systems rely on UEFI firmware and the Input-Output Memory Management Unit (IOMMU) to protect system memory from unauthorized access by peripheral devices. These protections are especially critical during boot, when operating system defenses are not yet active.

Early-boot vulnerabilities are particularly serious because they operate below the OS level, allowing attackers to bypass endpoint security tools, disk encryption, and logging mechanisms.

Carnegie Mellon University’s CERT Coordination Center (CERT/CC) disclosed that certain motherboards incorrectly signal that DMA protections are enabled during boot, even though the IOMMU is not yet fully configured.

Motherboard vendors ASRock, Asus, Gigabyte, and MSI have confirmed that some of their products are affected and have issued firmware updates. Other vendors, including AMD, Intel, AMI, Insyde, Phoenix Technologies, and Supermicro, have stated their products are not impacted. Several additional vendors remain under investigation.

The vulnerability is classified as a protection mechanism failure within UEFI firmware.

During system startup, firmware reports that DMA protections are active. In reality, the IOMMU—which enforces those protections—is only initialized immediately before control is handed off to the operating system.

This gap creates a window where a malicious PCI Express (PCIe) device can perform direct memory access attacks. An attacker with physical access can connect a rogue PCIe device and read or manipulate system memory before OS-level safeguards engage.

Such access can enable pre-boot code injection, memory scraping, and manipulation of the system’s initial execution state.

Successful exploitation could allow attackers to:

However, the requirement for physical access and specialized hardware significantly limits the attack surface in typical enterprise environments.

Firmware vulnerabilities remain difficult to detect and mitigate, yet they form the root of system trust. Even rare, physical-access attacks are relevant in shared environments, supply-chain scenarios, and high-assurance systems.

CERT/CC also noted that IOMMU misconfigurations can have broader implications in virtualization and cloud contexts, where hardware isolation is foundational to security guarantees.

CERT/CC emphasized that environments where physical access cannot be strictly controlled should prioritize rapid firmware patching and hardware security best practices.

The advisory reinforces a recurring lesson: secure boot claims must match actual firmware behavior, not just configuration flags or status indicators.