CVE-2024-7344
published 2025-01-14CVE-2024-7344: Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path.
PriorityP180high8.2CVSS 3.1
AVLACLPRHUINSCCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
1.04%
59.6th percentile
Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ces_taiwan | ces_neoimpact | >= * < 10.1.024-20241127 | 10.1.024-20241127 |
| cs-grp | neo_impact | < 10.1.024-20241127 | 10.1.024-20241127 |
| greenware | greenguard | < 10.2.023-20240927 | 10.2.023-20240927 |
| greenware_technologies | greenguard | >= * < 10.2.023-20240927 | 10.2.023-20240927 |
| howyar | sysreturn | < 10.2.023_20240919 | 10.2.023_20240919 |
| howyar_technologies | sysreturn | >= * < 10.2.02320240919 | 10.2.02320240919 |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_21h2 | — | — |
| msrc | windows_10_version_22h2 | — | — |
| msrc | windows_11_version_22h2 | — | — |
| msrc | windows_11_version_23h2 | — | — |
| msrc | windows_11_version_24h2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_2019 | — | — |
| msrc | windows_server_2022 | — | — |
| msrc | windows_server_2022_23h2_edition | — | — |
| msrc | windows_server_2025 | — | — |
| radix | smart_recovery | < 11.2.023-20240927 | 11.2.023-20240927 |
| radix | smartrecovery | >= * < 11.2.023-20240927 | 11.2.023-20240927 |
| sanfong | ez-back_system | < 10.3.024-20241127 | 10.3.024-20241127 |
| sanfong | sanfong_ez-back_system | >= * < 10.3.024-20241127 | 10.3.024-20241127 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect presence of cloak.dat on the EFI System Partition; this file contains an XOR-encrypted PE payload used to bypass UEFI Secure Boot via CVE-2024-7344. ↗
- →Monitor for creation of the anomalous files config, verify, counter, and bootmgfw.efi.old under \EFI\Microsoft\Boot\ as indicators of bootkit staging. ↗
- →Verify that UEFI DBX revocations from Microsoft's January 2025 Patch Tuesday have been applied; unrevoked certificates allow reloader.efi to execute even with Secure Boot enabled. ↗
- →Flag UEFI applications that load PE binaries without using the trusted LoadImage/StartImage services, as this is the core exploitation mechanism of CVE-2024-7344. ↗
- ·CVE-2024-7344 can be exploited even if none of the named vulnerable products are installed on the target; an attacker only needs to deploy the vulnerable reloader.efi binary. ↗
- ·ESET telemetry shows no active in-the-wild use of HybridPetya; it may be a proof-of-concept or early-stage tool. ↗
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vulncheck8.2HIGH
vendor_redhat8.2HIGH
vendor_msrc6.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7xfj-4r7x-3733: Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path
ghsa_unreviewed·2025-01-14
CVE-2024-7344 [MEDIUM] CWE-347 GHSA-7xfj-4r7x-3733: Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path
Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path.
VulnCheck
cs-grp neo_impact Improper Verification of Cryptographic Signature
vulncheck·2024·CVSS 8.2
CVE-2024-7344 [HIGH] cs-grp neo_impact Improper Verification of Cryptographic Signature
cs-grp neo_impact Improper Verification of Cryptographic Signature
Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path.
Affected: cs-grp neo_impact
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://eclypsium.com/blog/hybridpetya-ransomware-shows-why-firmware-security-cant-be-an-afterthought/; https://www.cyfirma.com/news/weekly-intelligence-report-10-october-2025/; https://eclypsium.com/blog/bombshell-the-signed-backdoor-hiding-in-plain-sight-on-framework-devices/; https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-rep
Red Hat
howyar-sysreturn: Howyar UEFI Application "Reloader": Unsigned software execution via hardcoded path
vendor_redhat·2025-01-14·CVSS 8.2
CVE-2024-7344 [HIGH] howyar-sysreturn: Howyar UEFI Application "Reloader": Unsigned software execution via hardcoded path
howyar-sysreturn: Howyar UEFI Application "Reloader": Unsigned software execution via hardcoded path
Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path.
A flaw was found in Howyar UEFI (Unified Extensible Firmware Interface) Application "Reloader". This vulnerability allows execution of unsigned software via a hardcoded path.
Statement: Red Hat components are not directly affected by CVE-2024-7344. However, until the DBX entries are updated on a system, it is possible for an attacker to boot the affected EFI applications even with secure boot protections enabled. Once the affected vendors have released a DBX update, it should be installed through fwupd via LVFS.
Microsoft
Cert CC: CVE-2024-7344 Howyar Taiwan Secure Boot Bypass
vendor_msrc·2025-01-14·CVSS 6.7
CVE-2024-7344 [HIGH] Cert CC: CVE-2024-7344 Howyar Taiwan Secure Boot Bypass
Cert CC: CVE-2024-7344 Howyar Taiwan Secure Boot Bypass
Description: This CVE was assigned by CERT CC. The purpose of this document is to attest to the fact that the products listed in the Security Updates table have been updated to protect against this vulnerability.
FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability?
An attacker who successfully exploited this vulnerability could bypass Secure Boot.
Windows Secure Boot: Windows Secure Boot
CERT CC: CERT CC
Customer Action Required: Yes
Impact: Security Feature Bypass
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5050008
Reference: https://support.microsoft.c
No detection rules found.
No public exploits indexed.
Eset
HybridPetya: The Petya/NotPetya copycat comes with a twist
blogs_eset·2025-09-16·CVSS 8.2
[HIGH] HybridPetya: The Petya/NotPetya copycat comes with a twist
English Español Deutsch Português Français
Award-winning news, views, and insight from the ESET security community
Video
## HybridPetya: The Petya/NotPetya copycat comes with a twist
HybridPetya is the fourth publicly known real or proof-of-concept bootkit with UEFI Secure Boot bypass functionality
Editor
16 Sep 2025
ESET researchers have uncovered a new ransomware strain that they have named HybridPetya. While resembling the infamous Petya/NotPetya malware, it comes with a new and dangerous twist – it adds the ability to compromise UEFI-based systems and weaponize CVE‑2024‑7344 in order to bypass UEFI Secure Boot on outdated systems. HybridPetya is not actively spreading in the wild, but it's at least the fourth known real or proof-of-concept bootkit with UEFI Secure Boot bypass
Bleepingcomputer
New HybridPetya ransomware can bypass UEFI Secure Boot
blogs_bleepingcomputer·2025-09-12·CVSS 8.2
[HIGH] New HybridPetya ransomware can bypass UEFI Secure Boot
## New HybridPetya ransomware can bypass UEFI Secure Boot
## Bill Toulas
A recently discovered ransomware strain called HybridPetya can bypass the UEFI Secure Boot feature to install a malicious application on the EFI System Partition.
HybridPetya appears inspired by the destructive Petya/NotPetya malware that encrypted computers and prevented Windows from booting in attacks in 2016 and 2017 but did not provide a recovery option.
Researchers at cybersecurity company ESET found a sample of HybridPetya on VirusTotal. They note that this may be a research project, a proof-of-concept, or an early version of a cybercrime tool still under limited testing.
Still, ESET says that its presence is yet another example (along with BlackLotus , BootKitty , and Hyper-V Backdoor) that UEFI bootkits w
Eset
Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass
blogs_eset·2025-09-12·CVSS 8.2
CVE-2024-7344 [HIGH] Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass
Award-winning news, views, and insight from the ESET security community
ESET Research
## Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass
UEFI copycat of Petya/NotPetya exploiting CVE-2024-7344 discovered on VirusTotal
Martin Smolár
12 Sep 2025 • , 14 min. read
ESET Research has discovered HybridPetya, on the VirusTotal sample sharing platform. It is a copycat of the infamous Petya/NotPetya malware, adding the capability of compromising UEFI-based systems and weaponizing CVE‑2024‑7344 to bypass UEFI Secure Boot on outdated systems.
New ransomware samples, which we named HybridPetya, resembling the infamous Petya/NotPetya malware, were uploaded to VirusTotal in February 2025.
HybridPetya encrypts the Master File Table, which contains important metadata
Bleepingcomputer
New UEFI Secure Boot flaw exposes systems to bootkits, patch now
blogs_bleepingcomputer·2025-01-16·CVSS 8.2
[HIGH] New UEFI Secure Boot flaw exposes systems to bootkits, patch now
## New UEFI Secure Boot flaw exposes systems to bootkits, patch now
## Bill Toulas
## Underlying problem
The issue stems from the application using a custom PE loader, which allows loading any UEFI binary, even if they are not signed.
Specifically, the vulnerable UEFI application does not rely on trusted services like 'LoadImage' and 'StartImage' that validate binaries against a trust database (db) and a revocation database (dbx).
In this context, 'reloader.efi' manually decrypts and loads into memory binaries from 'cloak.dat', which contains a rudimentary encrypted XOR PE image.
This unsafe process could be exploited by an attacker by replacing the app's default OS bootloader on the EFI partition with a vulnerable 'reloader.efi' and planting a malicious 'cloak.dat' file on its nomin
Bleepingcomputer
Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws
blogs_bleepingcomputer·2025-01-14·CVSS 7.8
[HIGH] Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws
## Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws
## Lawrence Abrams
40 Elevation of Privilege Vulnerabilities
14 Security Feature Bypass Vulnerabilities
58 Remote Code Execution Vulnerabilities
24 Information Disclosure Vulnerabilities
20 Denial of Service Vulnerabilities
5 Spoofing Vulnerabilities
To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5050009 & KB5050021 cumulative updates and the Windows 10 KB5048652 cumulative update.
## Three actively exploited zero-day disclosed
This month's Patch Tuesday fixes three actively exploited and five publicly exposed zero-day vulnerabilities.
Microsoft classifies a zero-day flaw as one that is publicly disclosed or actively exploited while no offi
Eset
Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass
blogs_eset
Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass
ESET Research has discovered HybridPetya, on the VirusTotal sample sharing platform. It is a copycat of the infamous Petya/NotPetya malware, adding the capability of compromising UEFI-based systems and weaponizing CVE‑2024‑7344 to bypass UEFI Secure Boot on outdated systems.
> Key points of this blogpost:
>
> - New ransomware samples, which we named HybridPetya, resembling the infamous Petya/NotPetya malware, were uploaded to VirusTotal in February 2025.
> - HybridPetya encrypts the Master File Table, which contains important metadata about all the files on NTFS-formatted partitions.
> - Unlike the original Petya/NotPetya, HybridPetya can compromise modern UEFI-based systems by installing a malicious EFI application onto the EFI System Partition.
> - One of the analyzed HybridPetya varian
https://uefi.org/revocationlistfilehttps://uefi.org/specs/UEFI/2.10/03_Boot_Manager.htmlhttps://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.htmlhttps://www.eset.com/blog/enterprise/preparing-for-uefi-bootkits-eset-discovery-shows-the-importance-of-cyber-intelligence/https://www.kb.cert.org/vuls/id/529659https://www.kb.cert.org/vuls/id/529659https://www.welivesecurity.com/en/eset-research/under-cloak-uefi-secure-boot-introducing-cve-2024-7344/
2025-01-14
Published
Exploited in the wild