Search criteria
2 vulnerabilities found for Notebook System Firmware by Clevo
CVE-2025-11577 (GCVE-0-2025-11577)
Vulnerability from cvelistv5 – Published: 2025-10-14 15:34 – Updated: 2025-10-15 13:17
VLAI?
Summary
Clevo’s UEFI firmware update packages, including B10717.exe, inadvertently contained private signing keys used for Boot Guard and Boot Policy Manifest verification. The exposure of these keys could allow attackers to sign malicious firmware that appears trusted by affected systems, undermining the integrity of the early boot process.
Severity ?
7.6 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Clevo | Notebook System Firmware |
Affected:
1.07.07TRO1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-11577",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T13:17:29.919651Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T13:17:44.736Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Notebook System Firmware",
"vendor": "Clevo",
"versions": [
{
"status": "affected",
"version": "1.07.07TRO1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Clevo\u2019s UEFI firmware update packages, including B10717.exe, inadvertently contained private signing keys used for Boot Guard and Boot Policy Manifest verification. The exposure of these keys could allow attackers to sign malicious firmware that appears trusted by affected systems, undermining the integrity of the early boot process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-321 Use of Hard\u2011coded Cryptographic Key",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T15:34:09.651Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.binarly.io/advisories/brly-2025-002"
},
{
"url": "https://www.kb.cert.org/vuls/id/538470"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Clevo UEFI firmware exposed Boot Guard private keys, enabling potential abuse of the Boot Guard trust chain",
"x_generator": {
"engine": "VINCE 3.0.26",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-11577"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-11577",
"datePublished": "2025-10-14T15:34:09.651Z",
"dateReserved": "2025-10-10T02:08:14.733Z",
"dateUpdated": "2025-10-15T13:17:44.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11577 (GCVE-0-2025-11577)
Vulnerability from nvd – Published: 2025-10-14 15:34 – Updated: 2025-10-15 13:17
VLAI?
Summary
Clevo’s UEFI firmware update packages, including B10717.exe, inadvertently contained private signing keys used for Boot Guard and Boot Policy Manifest verification. The exposure of these keys could allow attackers to sign malicious firmware that appears trusted by affected systems, undermining the integrity of the early boot process.
Severity ?
7.6 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Clevo | Notebook System Firmware |
Affected:
1.07.07TRO1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-11577",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T13:17:29.919651Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T13:17:44.736Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Notebook System Firmware",
"vendor": "Clevo",
"versions": [
{
"status": "affected",
"version": "1.07.07TRO1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Clevo\u2019s UEFI firmware update packages, including B10717.exe, inadvertently contained private signing keys used for Boot Guard and Boot Policy Manifest verification. The exposure of these keys could allow attackers to sign malicious firmware that appears trusted by affected systems, undermining the integrity of the early boot process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-321 Use of Hard\u2011coded Cryptographic Key",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T15:34:09.651Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.binarly.io/advisories/brly-2025-002"
},
{
"url": "https://www.kb.cert.org/vuls/id/538470"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Clevo UEFI firmware exposed Boot Guard private keys, enabling potential abuse of the Boot Guard trust chain",
"x_generator": {
"engine": "VINCE 3.0.26",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-11577"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-11577",
"datePublished": "2025-10-14T15:34:09.651Z",
"dateReserved": "2025-10-10T02:08:14.733Z",
"dateUpdated": "2025-10-15T13:17:44.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}