LiveActive security incident?Get immediate response
CVE Record

CVE-2024-8105: Insecure Platform Key (PK) used in UEFI system firmware signature

A vulnerability exists in UEFI implementations that use a hard-coded software-based Platform Key (PK). An attacker in possession of the corresponding PK private key can sign arbitrary UEFI executables or firmware components, causing them to be trusted by affected systems and potentially bypassing UEFI Secure Boot trust validation.

MediumCVSS 6.4Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2024-8105 affects UEFI firmware that used a hard-coded Platform Key for Secure Boot. If an attacker has the matching private key, they can make malicious firmware components appear trusted. This can undermine a core boot-time security control, but exploitation requires high privilege and specific key possession.

Executive priority

Treat this as a targeted firmware trust risk, not a broad internet-exposed emergency. Prioritize validation for critical systems because remediation may depend on OEM firmware availability and device lifecycle status.

Technical view

This is CWE-321: use of a hard-coded cryptographic key. Affected UEFI implementations trust a software-based Platform Key whose private key may be known or obtainable. CVSS is 6.4 with local access, high complexity, and high privileges required, but potential confidentiality, integrity, and availability impact is high.

Likely exposure

Exposure is firmware- and model-specific. The source bundle references OEM advisories from Supermicro, Intel, Fujitsu, and Gigabyte. The provided affected-product data is limited and includes entries marked defaultStatus unaffected, so organizations should validate exposure against vendor advisories and firmware inventories.

Exploitation context

Successful abuse requires local access, high privileges, high complexity, and possession of the corresponding PK private key. It could allow signed UEFI executables or firmware components to bypass Secure Boot trust validation. No KEV listing is present, and the provided sources do not state active exploitation.

Researcher notes

Focus on firmware provenance, PK enrollment, and OEM-specific guidance. Avoid assuming every listed vendor product is affected; the supplied affected table is incomplete and partly marked unaffected. Binarly and CERT/CC materials are the primary technical references in this bundle.

Mitigation direction

  • Check OEM advisories for affected models and firmware-specific remediation.
  • Apply vendor-provided firmware or Secure Boot key updates where available.
  • Prioritize servers, shared workstations, and high-value endpoints.
  • Review vendor end-of-life statements before assuming updates exist.
  • Restrict administrative access on endpoints pending firmware validation.

Validation and detection

  • Inventory systems by vendor, model, and firmware version.
  • Confirm Secure Boot state and enrolled Platform Key details.
  • Compare firmware and PK indicators against vendor advisories.
  • Use vendor tools or guidance for definitive exposure confirmation.
  • Track exceptions where devices are end-of-life or unsupported.
Prepared
Confidence
medium
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-321: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2024-8105 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
6.4 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
2ADP providers
10Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: total

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
6.4CVSS 3.1MediumCVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H0.55.9CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

6.4Medium
CVSS 3.1 vector shape for CVE-2024-8105Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Acervz2694gd61d0e09d008bfb29bc32532b1b94fcc4ee2af5e8372c6d38722a4e73ecc71d6unaffected
Aceraspire s 272bd2bfaf79a72eaca45e544e5c6a5bb842b292bdc229b8975b3101a4013e0d5funaffected
Aceraspire s32-185629837e239487cc83818a7f40f9280d9692a50376487899edd603494b0f30e4c5unaffected
Aceraspire xc-1710cdaa406bda1a58fbe9933622dec218a26f79871d42f0d3576fbf878e51a16201unaffected
Acerc24-1655399f68dc94a6c42030efcd57fd034ff721f860b7b5d447779e7a6a6c99aba34funaffected
Aceraspire c22-1600d938d08543d35d4249a51057c1d9c62bb1f6440af19913c5feffcea47dd3de95unaffected
Acerc24-9623d525f96f63995c51ab1bcd2c50ebb71661ffeca9f78f97cc97e851d0e2bbbddunaffected
Aceraltos r680 f4a2679a9595a104d70bddc024dbc4f65f0dc9d906f30a0d1ae6b996b14246a6c2unaffected
Aceraltos r680s f4e5fdaabf11b236c5c7b040d674936e84db746a180ab9999317e16dcb77aeeba4unaffected
AopeniAPLx-DE(TAA30 TEST)94c6f84946db100b505af8a308f69ef6cddc2e310b50641a6e2e63bc9aed54e0unaffected
AopeniKBLMUx-DER(Volta Charging)fcd339e12730f057e41ad41228f9612d4954f2d0dbcfeef37e14dcdaf2866e05unaffected
Dellinspiron-15-3510-laptop7fbfd8b03d178e074572dff764f28af98c87c7556ce3837ccb8dfe993efa1940unaffected
Dellalienware-x17-r2-laptop65f5939878deede2e1b24a6412ba025b78f45b1562e9d365d97e1c76a32a1832unaffected
Dellalienware-m17-r4-laptopf75b595b9ce5e1e25a5d64e54edffdf696251b4f4e860c0d3a03a183631f090eunaffected
Dellalienware-x14-r1-laptop620848eeadb74a572d6400672aecca35f46dfdc7b5152bb028fbcbf74ea7bccdunaffected
Dellalienware-aurora-r15-amd-desktop6348442334e85e8374884ea848685771053a7cf274ccb77559c710b5a00f61e9unaffected
Dellalienware-m17-r3-laptop413a04c12bde19f1f97d9d334ed57197f0405f9f10ab7154d2b71e5471577c97unaffected
Dellalienware-area51m-r2-laptop253743e7a39d0b709122c5329799f4c4608536eeb632218e7f0cbe1f6e8b5db8unaffected
Dellalienware-x15-r1-laptop4fc54067f263791aed2fa4b57b226ea15c4eb0f55b3797e002bb62aa936bdd8cunaffected
Dellinspiron-15-3521-laptope2242e4aa3a284fcbbcf2f38a10bec24408f1eff74bb307e699ea46f483359f2unaffected
Dellalienware-aurora-r11-desktop8f79d9de33f5f131226a78ccb10bb16218a5be51b2105cc32e38ceb0c8c30e9aunaffected
Dellinspiron-15-3502-laptop62c02a9b5a4d4328ac41c3e3aa7757e64e6c5cd52b9e047333ad18e60d17fcb6unaffected
Dellalienware-aurora-r13-desktopdc5912033c5ca14475f2d59ca47f25c8840f362f0c8553d13bb06a8e47c42abfunaffected
Dellxps-8950-desktop6982be0bd8e1aed1251fe5300eec2b515b7cab70e761cfb72074f5d658d092d9unaffected
Dellalienware-aurora-r15-desktop7e310dca802db0f7a22d39bb2d7d5b79c7e9df8e5698f0e691942ec334ce5794unaffected
Dellalienware-aurora-r14-desktop26a447a94e96fa8d9c590888cae490750c32d5af95faece3595f21efc41c1f2cunaffected
Dellalienware-aurora-r16-desktop06a9dffc8fb3edafd1b6377cf38879860a0ae3c87f97258e09d189d291f64eadunaffected
Dellxps-8960-desktop0dcd7494f4926fb04b56e9713f0b62eff3a345b626fa2adaf47636bf0bb4c3ebunaffected
Dellalienware-m15-r2-laptop69da86e9cf24c49496529f3041604a6bb1c0c0ab86c192239d31d3a9b92467cdunaffected
Dellinspiron-17-3782-laptop602a23f43b11817ad5439579969753866a54b836f34dfe19342e5188cf088d85unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-321 · source CWE mapping

Use of Hard-coded Cryptographic Key

Use of Hard-coded Cryptographic Key represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.