CVE-2025-2486

LOW EPSS 1.7%
Published Nov 26, 20257mo ago · Modified Jun 17, 20262w ago
3.7 CVSS 4.0
Low
Find Similar
Published Nov 26, 2025 7mo ago
Last Modified Jun 17, 2026 2w ago

Description

The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733.

CVSS Details

Base Score
3.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity High
Privileges Required None
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
1.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-489

Affected Products 2

VendorProductVersionRange
tianocoreedk2202402*any
tianocoreedk2202405any

References 1

  • bugs.launchpad.net https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2101797
    PatchThird Party Advisory

Remediation

  • bugs.launchpad.net https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2101797
    PatchThird Party Advisory