CVE-2025-2486

EPSS 0.02%
Veröffentlicht 26.11.2025 17:33:17
Zuletzt bearbeitet 19.12.2025 16:31:04
Quelle security@ubuntu.com
CVE-Watchlists
Login
Unerledigt
Login

The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tianocore ≫ Edk2 Version202402*

Tianocore ≫ Edk2 Version202405

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.043

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2	6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
security@ubuntu.com	3.7	0	0	CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-489 Active Debug Code

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2101797

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-2486

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-2486

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-2486

EUVD