SecuriTricks - CVE-2025-2486

Description

The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733.

Product(s) Impacted

Vendor	Product	Versions
Ubuntu	Edk2	2024.05-2ubuntu0.3, 2024.02-2ubuntu0.3, <2024.02-2ubuntu0.3

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-489

Active Debug Code

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	ubuntu	edk2	2024.05-2ubuntu0.3	/	/	/	/	/	/	/
a	ubuntu	edk2	2024.02-2ubuntu0.3	/	/	/	/	/	/	/
a	ubuntu	edk2	<2024.02-2ubuntu0.3	/	/	/	/	/	/	/

References

https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2101797

CVSS Score

3.7 / 10

CVSS Data - 4.0

Attack Vector: LOCAL
Attack Complexity: HIGH
Attack Requirements: NONE
Privileges Required: NONE
User Interaction: ACTIVE
Scope:
Confidentiality Impact: NONE
Integrity Impact: HIGH
Availability Impact: NONE
Exploit Maturity: UNREPORTED

CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: Nov. 26, 2025, 6:15 p.m.
Last Modified: Nov. 26, 2025, 6:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@ubuntu.com

CVE-2025-2486