Key Information Vulnerability Overview Vulnerability Name: Clevo UEFI firmware embedded BootGuard keys compromising Clevo's implementation of BootGuard Vulnerability ID: VU#538470 Release Date: 2025-10-13 Last Revised: 2025-10-14 Description Clevo’s UEFI firmware update packages contained sensitive private keys used in its Intel Boot Guard implementation. This accidental key exposure could allow attackers to sign malicious firmware using Clevo’s Boot Guard trust chain, potentially compromising the pre-boot UEFI environment on systems utilizing Clevo’s implementation. Impact Attackers with write access to system flash storage—whether through physical access or privileged software update mechanisms—can exploit the leaked keys to sign and install malicious firmware. Such firmware would be trusted during the protected early boot phase, enabling attackers to bypass protections on affected UEFI systems and achieve persistent, stealthy control over the device. Solution Although Clevo has reported removing the affected software containing the leaked keys, no public remediation steps have been announced. Users of Clevo-based devices, including other OEMs integrating Clevo firmware, should: Assess their exposure to affected firmware versions. Monitor systems for unauthorized firmware modifications. Apply firmware updates only from verified and trusted sources. Affected Vendors Google: Not Affected Insyde Software Corporation: Not Affected Intel: Not Affected Phoenix Technologies: Not Affected UEFI Security Response Team: Not Affected Acer: Unknown ADATA: Unknown Amazon: Unknown American Megatrends Incorporated (AMI): Unknown ASUSTeK Computer Inc.: Unknown Additional Information CVE ID: CVE-2025-11577 API URL: VINCE JSON Public Disclosure Date: 2025-10-13 Initial Release Date: 2025-10-13 Last Updated: 2025-10-14 15:50 UTC Document Revision: 2