Bypass Record

Pre-OS Boot × AMI Aptio V UEFI Firmware

A publicly-reported instance of Pre-OS Boot bypassing AMI Aptio V UEFI Firmware, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

AMI Aptio V UEFI Firmware

Technique

Pre-OS Boot

MITRE ATT&CK

T1542

Confidence

High

Severity

High

Status

poc

Disclosed

2023-05-29

Config / version noted

Not stated

Provenance

github.com
disclosed 2023-05-29 · original source · via exa
github.com
disclosed 2023-05-29 · original source · via exa

Reported as

patching AMI Aptio V UEFI firmware to disable image signature verification, allowing unsigned executables to load under Secure Boot

Mechanism

The method extracts the SecurityStubDxe EFI binary from firmware, locates the image verification handler via reverse engineering, and patches it to always return EFI_SUCCESS. This defeats Secure Boot's integrity checks, allowing any unsigned code to execute during boot.

Detection & mitigation

Monitor UEFI firmware integrity using hardware root-of-trust measurements (e.g., TPM PCRs) and compare against known-good values via remote attestation. Enforce Secure Boot with custom Platform Key (PK) and audit firmware updates through secure update mechanisms.

Pre-OS Boot has also been recorded against

Google Insyde Microsoft Qualcomm Unisoc

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.