As not too long ago as December 2025, the SEI’s CERT Coordination Middle (CERT/CC) documented a UEFI-related vulnerability in sure motherboard fashions, illustrating that early-boot firmware conduct continues to current safety challenges regardless of requiring native bodily entry to take advantage of. UEFI is a crucial component of system firmware as a result of it initializes {hardware} and boots up the working system. Tampering with UEFI can help assaults which are notably tough to detect and mitigate.
This vulnerability is the newest challenge reported, however it isn’t an outlier. CERT/CC reported seven UEFI vulnerability notes in 2025. Whereas small in comparison with reported vulnerabilities in different software program, the results of a possible UEFI assault are sometimes extra severe given the extraordinarily excessive privileges UEFI firmware possesses. Equally vital, UEFI firmware is commonly giant, complicated, and opaque, which makes it difficult to investigate for safety issues.
On the SEI we’ve got made the invention and remediation of UEFI vulnerabilities a precedence. On this weblog submit, we discover UEFI and introduce CERT UEFI Parser, a brand new, open supply software that makes use of program evaluation to disclose the structure of UEFI software program, and discover this veiled supply of vulnerabilities. The brand new parser is the results of that multiyear effort and helps output in human-readable textual content, JSON, and SBOM-ready JSON, making it well-suited to firmware audits, investigations, asset inventories, and automatic workflows. upports output in human-readable textual content, JSON, and SBOM-ready JSON, making it well-suited to firmware audits, investigations, asset inventories, and automatic workflows.
Why Do We Want a UEFI Parser?
The Unified Extensible Firmware Interface (UEFI) specification, began by Intel in 2004, is a community-driven undertaking aimed toward creating a typical bootloader for all fashionable computing units. It replaces the normal Fundamental Enter/Output System (BIOS) that beforehand had the function of beginning the working system when the {hardware} is powered up.
UEFI is a specification, and its implementation varies by vendor. Every vendor brings completely different approaches, customized knowledge constructions, and their very own interpretations of specs. This fragmentation yields an ecosystem with little uniformity and even much less transparency as a result of most code is proprietary. Bootloaders maintain a delicate place in computing structure—they’re the primary layer of software program between the {hardware} and the working system. Nonetheless, the place there’s software program, there’s the chance for vulnerabilities and exploits.
CERT started growing the UEFI parser software in early 2020 as a part of our systemic vulnerability analysis initiative, the place we got down to perceive and shield a number of the most invisible and difficult-to-manage ecosystems in fashionable computing. We use the time period “systemic vulnerability” to explain a deeply embedded flaw that’s pervasive throughout a number of programs, distributors, or implementations; tough to detect or remediate as a consequence of complicated dependencies and elusive root causes; and infrequently dismissed as inherent to the system itself. The UEFI ecosystem exemplifies this definition. Firmware is difficult to examine, inconsistently documented, and difficult to handle throughout numerous {hardware} platforms, which makes vulnerabilities each tough to find and much more obscure when it comes to their broader influence.
Early analysis in UEFI vulnerabilities uncovered a labyrinth of knowledge codecs (each when it comes to binary artifacts and their metadata) in digital UEFI environments, every with their very own distinctive constructions and assumptions, together with many extra complicated customized codecs that dwell exterior conventional executable file codecs, comparable to Microsoft’s Moveable Executable (PE) or the Executable and Linkable Format (ELF) generally utilized by Linux programs. These parts are sometimes undocumented, extremely vendor-specific, and out of doors the scope of current instruments (For extra on current instruments see right here and right here). We additionally encountered challenges in understanding how vulnerabilities propagated throughout completely different tasks. For instance, when a flaw was disclosed in a particular firmware construct, it was usually unclear how a lot of the underlying code was reused in different UEFI tasks. With out a constant approach to rapidly parse and examine elements, figuring out the checklist of affected fashions for a vulnerability was extraordinarily tough. It was quickly apparent that we would have liked to develop a software to scale our analysis; welcome, CERT UEFI Parser.
In reverse engineering, parsing and understanding binary file codecs is an important exercise to recuperate the construction needed to investigate and perceive binary artifacts. Efficient parsing should be environment friendly and correct, incrementally decoding firmware binaries into higher-level constructions that help exploration and evaluation. Constructed on utilizing such strong and extensible parsing frameworks, CERT UEFI Parser offers researchers, system directors, and safety fanatics a strong and clear approach to examine and analyze firmware. Its options embody the capabilities to:
- Decompose firmware photographs, expose hidden constructions, and help deeper reverse engineering and code-reuse evaluation throughout the various UEFI panorama
- parse firmware ROMs, UEFI firmware photographs, PE recordsdata, installer packages, and extra
- help output in human-readable textual content, JSON, and SBOM-ready JSON, making it well-suited to firmware audits, investigations, asset inventories, and automatic workflows
The software displays years of amassed analysis into how the firmware is constructed, the way it varies throughout distributors, and the way it may be analyzed extra systematically.
Case Examine: Investigating the PKFail Vulnerability
Take into account the PKFail vulnerability, printed in August 2024. Within the PKFail vulnerability, Platform Keys (PKs) utilized in improvement and testing have been mistakenly hardcoded into the manufacturing firmware for a number of distributors. These keys usually included the label “DO NOT TRUST.”
Let’s stroll by how somebody may examine a binary file to find out whether it is sufferer to PKFail. We’re utilizing the Lenovo Thinkserver 140 ROM. As a begin, let’s use the parsed file in JSON format in order that we will seek for strings, comparable to “DO NOT TRUST,” an attribute generally encoded with hard-coded check software program keys.
Determine 1: CERT UEFI Parser in JSON mode permits for looking out by string
This discovering is especially noteworthy: the Lenovo ThinkServer firmware incorporates the string “DO NOT TRUST” embedded throughout the Platform Key (PK). To higher perceive the place this originates, analyst can load the identical firmware picture into CERT UEFI Parser’s GUI view.
From the JSON output in Determine 1, we determine the PK as an X.509 DER certificates and use this class title to go looking within the GUI. As proven in Determine 2, the search locates the corresponding hex area containing the identical “DO NOT TRUST” string.
Determine 2 CERT UEFI Parser in GUI mode helps looking out by Class Title. A hex dump is exhibited to the suitable of the parsed courses.
The decoded hexadecimal values within the backside proper of the picture additionally learn “DO NOT TRUST.” Zooming in:
Determine 3 A closeup of the hex dump in CERT UEFI Parser GUI mode
This examination course of reveals how CERT UEFI Parser can precisely visualize the internals of a UEFI ROM, expediting evaluation and vulnerability discovery. A researcher may use CERT UEFI Parser to additional look at ROMs both in an automatic method utilizing JSON output or interactively examine utilizing the GUI to examine binary recordsdata comparable to firmware, installers and such.
The UEFI Ecosystem
Earlier than UEFI was EFI, and earlier than EFI was BIOS. Within the BIOS-dominated period, restricted standardization made it tough to help more and more complicated and dynamic {hardware} environments. Intel created EFI to deal with this battle, and UEFI is its “unified” successor bringing supply-chain events and their interactions into some widespread moderately outlined interfaces.
UEFI requirements have been printed to deliver such uniformity to the system software program layer that bridges {hardware} and working programs, whereas nonetheless permitting for innovation and implementation flexibility. As these requirements have been adopted, the UEFI group emerged below the Unified Extensible Firmware Interface Discussion board as a unfastened collaboration of silicon distributors, platform producers, firmware builders, working system distributors, and power builders who collectively interpret, implement, and prolong the specification.
In observe, the UEFI ecosystem will not be a single implementation, however a large assortment of firmware codebases, configuration decisions, and vendor-specific extensions deployed throughout globally manufactured programs. Whereas widespread interfaces allow interoperability, real-world implementations fluctuate considerably as a consequence of differing design priorities, legacy necessities, and ranges of engineering rigor.
This variability creates an atmosphere the place correctness and safety can’t be assumed. Misinterpretations of the specification, refined defects, configuration errors, and unintended interactions could exist beneath the working system’s visibility, notably in security-sensitive paths. Because of this, systematic evaluation and reverse engineering of UEFI implementations by safety evaluators stay needed to grasp precise conduct, determine gaps, and validate safety assumptions throughout the broader UEFI ecosystem.
Future UEFI work on the SEI
CERT UEFI Parser is at a transition stage, and its future is basically depending on group engagement within the type of suggestions, function requests, and direct contributions. Enhancing UEFI transparency requires sustained, collaborative effort. We encourage readers to go to our GitHub web page, discover the parser, share suggestions, request new options, or contribute enhancements by pull requests; such participation will assist us refine and develop the software, bringing higher maturity and visibility to firmware evaluation throughout the ecosystem.
The SEI continues to make use of the parser for analysis in systemic vulnerabilities, along with our work constructing instruments and strategies to assist cybersecurity professionals consider UEFI safety weaknesses. The complicated, opaque, and privileged nature of UEFI firmware stays an underappreciated supply of danger that warrants elevated scrutiny.
