Clevo UEFI firmware exposed Boot Guard private keys, enabling potential abuse of the Boot Guard trust chain
CVE-2025-11577

Currently unrated

Key Information:

Vendor: Clevo
Status: Notebook System Firmware
Vendor: CVE Published:; 14 October 2025

What is CVE-2025-11577?

Clevo’s UEFI firmware update packages, including B10717.exe, inadvertently contained private signing keys used for Boot Guard and Boot Policy Manifest verification. The exposure of these keys could allow attackers to sign malicious firmware that appears trusted by affected systems, undermining the integrity of the early boot process.

Affected Version(s)

Notebook System Firmware 1.07.07TRO1

References

https://www.binarly.io/advisories/brly-2025-002

https://www.kb.cert.org/vuls/id/538470

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 14, 2025
Vulnerability Reserved
Oct 10, 2025

JSON