CVE-2025-2486
LOW EPSS 1.7%
Published Nov 26, 20257mo ago · Modified Jun 17, 20262w ago
3.7 CVSS 4.0
Published Nov 26, 2025 7mo ago
Last Modified Jun 17, 2026 2w ago
Description
The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Local
Attack Complexity High
Privileges Required None
User Interaction A
Scope X
Threat Intelligence
EPSS Exploit Probability
1.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-489
Affected Products 2
References 1
- bugs.launchpad.net https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2101797
Remediation
- bugs.launchpad.net https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2101797