A significant security vulnerability has been discovered affecting numerous motherboard models from prominent manufacturers like ASRock, ASUS, GIGABYTE, and MSI. This flaw, related to early-boot direct memory access (DMA) attacks, leaves systems susceptible before the operating system’s safeguards are fully established. The vulnerability impacts systems utilizing Unified Extensible Firmware Interface (UEFI) and Input-Output Memory Management Unit (IOMMU) architectures, posing a potential risk to sensitive data and system integrity.
The security gap was identified by researchers Nick Peterson and Mohamed Al-Sharifi of Riot Games. They found that while certain UEFI firmware implementations report DMA protection as active, they fail to properly configure and enable the IOMMU during the crucial initial boot phase. This oversight creates a window of opportunity for malicious hardware to access or modify system memory before operating system-level security measures are in place, according to an advisory from the CERT Coordination Center.
Motherboard Firmware Security Flaw Exposes Systems to DMA Attacks
The vulnerability allows a physically present attacker with access to a DMA-capable Peripheral Component Interconnect Express (PCIe) device to read or alter system memory. This bypasses the intended security foundation provided by UEFI and IOMMU, which are designed to prevent unauthorized memory access by peripherals before the operating system loads. Effectively, the firmware provides a false sense of security, indicating protection is active when it is not correctly enforced.
Successful exploitation of this firmware security flaw could lead to pre-boot code injection on vulnerable systems. Attackers could leverage DMA transactions to access or tamper with critical system memory well before the operating system kernel and its associated security features are initialized. This could significantly undermine the integrity of the entire boot process and the subsequent security posture of the system.
Specific Vulnerabilities and Affected Components
The CERT Coordination Center has detailed several specific Common Vulnerabilities and Exposures (CVEs) associated with this issue, each carrying a CVSS score of 7.0, indicating a high severity:
- CVE-2025-14304 affects ASRock, ASRock Rack, and ASRock Industrial motherboards equipped with Intel 500, 600, 700, and 800 series chipsets.
- CVE-2025-11901 impacts ASUS motherboards utilizing Intel Z490, W480, B460, H410, Z590, B560, H510, Z690, B660, W680, Z790, B760, and W790 series chipsets.
- CVE-2025-14302 applies to GIGABYTE motherboards with several Intel chipsets including Z890, W880, Q870, B860, H810, Z790, B760, Z690, Q670, B660, H610, and W790. It also affects AMD chipsets such as X870E, X870, B850, B840, X670, B650, A620, A620A, and TRX50. A fix for the TRX50 chipset is anticipated in the first quarter of 2026.
- CVE-2025-14303 targets MSI motherboards that incorporate Intel 600 and 700 series chipsets.
The primary mitigation for this vulnerability involves applying firmware updates released by the affected vendors. These updates aim to rectify the IOMMU initialization sequence, thereby ensuring DMA protections are enforced throughout the entire boot sequence. End users and system administrators are strongly advised to install these updates as soon as they become available to protect against potential exploitation.
The CERT/CC emphasizes the critical importance of prompt patching, particularly in environments where physical security cannot be guaranteed. This vulnerability underscores the foundational role of the IOMMU in isolation and trust delegation, even in virtualized and cloud environments, highlighting the necessity of correct firmware configuration across all systems.
Organizations and individuals using affected hardware should actively monitor vendor websites for firmware updates. The timely application of these patches is the most effective way to close this security gap and prevent unauthorized access to system memory during the early stages of the boot process. The industry will continue to watch for any further developments or newly discovered implications of this firmware security issue.