CVE-2025-14304
📋 TL;DR
This vulnerability allows unauthenticated physical attackers with DMA-capable PCIe devices to read and write arbitrary physical memory on affected ASRock motherboards before the OS loads. It affects ASRock, ASRockRack, and ASRockInd motherboard models where IOMMU protection is not properly enabled. Attackers can bypass OS-level security controls by exploiting this hardware-level flaw.
💻 Affected Systems
- ASRock motherboards
- ASRockRack server motherboards
- ASRockInd industrial motherboards
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including theft of encryption keys, credentials, and sensitive data; installation of persistent firmware-level malware; bypass of all OS security controls.
Likely Case
Physical attackers in data centers or shared hosting environments could extract sensitive data from memory or install backdoors on affected systems.
If Mitigated
With proper physical security controls and IOMMU configuration, risk is limited to authorized personnel with physical access to PCIe slots.
🎯 Exploit Status
Requires physical access and specialized hardware (DMA-capable PCIe device). Not remotely exploitable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor BIOS/UEFI updates for specific motherboard models
Vendor Advisory: https://www.asrock.com/support/Security.asp
Restart Required: Yes
Instructions:
1. Identify your motherboard model. 2. Visit ASRock/ASRockRack/ASRockInd security advisory pages. 3. Download latest BIOS/UEFI firmware for your model. 4. Follow vendor instructions to update firmware. 5. Verify IOMMU is enabled in BIOS settings.
🔧 Temporary Workarounds
Enable IOMMU in BIOS/UEFI
allManually enable IOMMU (VT-d/AMD-Vi) in BIOS/UEFI settings if not enabled by default
Physical Security Controls
allRestrict physical access to servers and PCIe slots using locked chassis, secure data centers, and access controls
🧯 If You Can't Patch
- Implement strict physical security controls to prevent unauthorized access to PCIe slots
- Disable unused PCIe slots in BIOS/UEFI settings and physically secure remaining slots
🔍 How to Verify
Check if Vulnerable:
Check BIOS/UEFI settings for IOMMU/VT-d/AMD-Vi status. If disabled or not present, system may be vulnerable. Also check vendor advisory for specific model vulnerability.Check Version:
On Linux: 'sudo dmidecode -t bios' or 'sudo cat /sys/class/dmi/id/bios_version'. On Windows: 'wmic bios get smbiosbiosversion' or check System Information.Verify Fix Applied:
Verify IOMMU is enabled in BIOS/UEFI settings and confirm BIOS/UEFI version matches patched version from vendor advisory.📡 Detection & Monitoring
Log Indicators:
- BIOS/UEFI modification logs
- Unexpected PCIe device connections in system logs
- Physical access logs showing unauthorized entry
Network Indicators:
- None - physical attack only
SIEM Query:
Search for BIOS/UEFI modification events or physical access violations in security logs