Booting into Breaches: Hunting Windows SecureBoot's Remote Attack Surfaces
Black Hat USA 2025 · Day 1 · Briefings
Andrew Yang of CyberKunlun submitted 55 vulnerability reports to MSRC, accounting for nearly 60% of all Windows Secure Boot Security Feature Bypass CVEs issued in the past decade. What makes his research distinctive is that the majority of his findings are exploitable **remotely over the network via PXE boot**, without physical access — a scenario prior research had largely ignored. The persistent PCA 2011 certificate on most hardware remains a viable exploitation bridge for all findings even today. ---
AI review
Andrew Yang found 55 Secure Boot vulnerabilities — nearly 60% of the total CVE count for the entire category over a decade — and most of them are exploitable remotely over PXE with no physical access required and no ASLR to work around. This is not incremental research. This is one researcher comprehensively owning a component that the industry assumed was hard to attack.