Critical Supply Chain Flaw: Clevo UEFI Firmware Leaked Intel Boot Guard Private Keys (CVE-2025-11577)

Critical Supply Chain Flaw: Clevo UEFI Firmware Leaked Intel Boot Guard Private Keys (CVE-2025-11577)

The CERT Coordination Center (CERT/CC) has issued a warning regarding a critical supply chain — CVE-2025-11577 — after researchers discovered that Clevo’s UEFI firmware update packages accidentally exposed Intel Boot Guard private keys. The exposure could allow attackers to sign and install malicious firmware that would appear trusted by the system, compromising the pre-boot environment and undermining platform integrity.

According to CERT/CC, “Clevo’s UEFI firmware update packages included sensitive private keys used in their Intel Boot Guard implementation. This accidental exposure of the keys could be abused by an attacker to sign malicious firmware using Clevo’s Boot Guard trust chain.

Intel Boot Guard is designed to protect a system’s initial boot process by cryptographically verifying firmware before it executes. It establishes a root of trust that ensures only verified firmware runs before the operating system loads.

As CERT/CC explains, “Intel Boot Guard is a platform integrity technology, providing a root of trust that protects the earliest stages of the boot process. It cryptographically verifies the Initial Boot Block (IBB) and prevents the execution of untrusted firmware.”

Boot Guard is distinct from UEFI Secure Boot, which enforces trust later in the boot chain.

Boot Guard is often confused with UEFI Secure Boot, but Secure Boot operates later in the process, enforcing trust within the UEFI firmware execution phase and during the transition from UEFI to the operating system.”

This means that a compromise of Boot Guard — the earliest link in the trust chain — can effectively invalidate all downstream mechanisms, including Secure Boot and OS-level protections.

Clevo, a Taiwan-based ODM/OEM, manufactures laptops and UEFI firmware used by several global PC brands. As a result, the leaked keys could affect systems far beyond Clevo’s own lineup.

CERT/CC warns that “Clevo Co. is a computer hardware and firmware manufacturer that operates as both an Original Design Manufacturer (ODM) and an Original Equipment Manufacturer (OEM), producing laptops and UEFI firmware used by various personal computer brands.”

Because Clevo’s firmware is integrated into devices from other OEMs, the exposure has potential supply chain implications.

The most serious aspect of the exposure lies in the trust relationship that Boot Guard establishes. With leaked signing keys, attackers can craft malicious UEFI firmware that passes Intel Boot Guard’s integrity checks — effectively appearing legitimate to the hardware.

An attacker with write access to flash storage for a system, whether through physical access or a privileged software update mechanism, could abuse the leaked keys to sign and install malicious firmware.”

Such malicious firmware could persist across reboots, evade operating system-level detection, and grant long-term control over the device.

CERT/CC reports that Clevo has removed the affected firmware packages containing the exposed keys but has not yet announced a concrete mitigation or key revocation plan.

In the absence of official remediation, users and system integrators relying on Clevo firmware are urged to:

  • Assess exposure by checking whether affected firmware versions were deployed.
  • Monitor systems for unauthorized or unsigned firmware changes.
  • Apply firmware updates only from verified and trusted sources.

Previous Article

Critical Elastic Cloud Flaw: CVE-2025-37729 (CVSS 9.1) Allows RCE via Jinjava Template Injection

Next Article

Microsoft Patches Edge IE Mode After Hackers Exploited Chakra Zero-Day for Device Takeover