Insyde UEFI Flaw Enables Digital Certificate Injection via NVRAM Variable

A critical vulnerability (CVE-2025-4275) in Insyde H2O UEFI firmware allows attackers to bypass Secure Boot protections by injecting malicious digital certificates via an unprotected NVRAM variable.

Dubbed Hydroph0bia, this flaw enables pre-boot execution of unsigned code, posing severe risks to enterprise and consumer devices.

Insecure NVRAM Variable Handling

The vulnerability stems from the improper use of the SecureFlashCertData NVRAM variable, which stores public keys used in UEFI trust validation.

Insyde H2O firmware relies on this variable to exchange certificates between DXE drivers and verification libraries, like LoadImage and StartImage.

However, the variable lacks write-protection, allowing attackers with administrative privileges to overwrite it with rogue certificates.

Key technical factors:

• UEFI Secure Boot Bypass: Injected certificates are trusted during early boot, enabling execution of malicious UEFI applications.
• Library Function Flaw: Common functions LibGetVariable fail to validate whether the variable is volatile or firmware-set, permitting OS-level tampering.
• Persistence ...