Microsoft's AI-Powered Security Copilot Uncovers Critical Vulnerabilities in Open-Source Bootloaders

Microsoft uses AI to find flaws in GRUB2, U-Boot, Barebox bootloaders

Microsoft used its AI-powered Security Copilot to discover 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders. GRUB2 (GRand Unified Bootloader) is the default boot loader for most Linux distributions, including Ubuntu, while U-Boot and Barebox are commonly used in embedded and IoT devices. Microsoft discovered eleven vulnerabilities in GRUB2, including integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison. Additionally, 9 buffer overflows in parsing SquashFS, EXT4, CramFS, JFFS2, and symlinks were discovered in U-Boot and Barebox, which require physical access to exploit. The newly discovered flaws impact devices relying on UEFI Secure Boot, and if the right conditions are met, attackers can bypass security protections to execute arbitrary code on the device. While exploiting these flaws would likely need local access to devices, previous bootkit attacks like BlackLotus achieved this through malware infections. "While threat actors would likely require physical device access to exploit the U-boot or Barebox vulnerabilities, in the case of GRUB2, the vulnerabilities could further be exploited to bypass Secure Boot and install stealthy bootkits or potentially bypass other security mechanisms, such as BitLocker," explains Microsoft. "The implications of installing such bootkits are significant, as this can grant threat actors complete control over the device, allowing them to control the boot process and operating system, compromise additional devices on the network, and pursue other malicious activities." "Furthermore, it could result in persistent malware that remains intact even after an operating system reinstallation or a hard drive replacement." Below is a summary of the flaws Microsoft uncovered in GRUB2: All of the above flaws are rated medium severity, except for CVE-2025-0678, which is rated "high" (CVSS v3.1 score: 7.8). Microsoft says Security Copilot dramatically accelerated the vulnerability discovery process in a large and complex codebase, such as GRUB2, saving approximately 1 week of time that would be required for manual analysis. Not only did the AI tool identify the previously undiscovered flaws, but it also provided targeted mitigation recommendations that could provide pointers and accelerate the issuing of security patches, especially in open-source projects supported by volunteer contributors and small core teams. Using the findings in the analysis, Microsoft says Security Copilot found similar bugs in projects utilizing shared code with GRUB2, such as U-boot and Barebox. GRUB2, U-boot, and Barebox released security updates for the vulnerabilities in February 2025, so updating to the latest versions should mitigate the flaws.

Microsoft has its AI-powered Security Copilot discover a whole host of previously unknown vulnerabilities

Microsoft says the AI tool saved the company at least a week of work Microsoft has revealed more on how its latest AI tools are proving useful spotting code vulnerabilities and more. The company has published a new blog post detailing how it used Security Copilot (its AI-powered cybersecurity tool) to find almost two dozen vulnerabilities in different open-source bootloaders. In total, Microsoft found 11 flaws in GRUB2, and nine more in U-Boot and Barebox. GRUB2 (GRand Unified Bootloader version 2) is a bootloader used in Linux and other Unix-like operating systems to manage the boot process and load the operating system. U-Boot (Das U-Boot) and Barebox, on the other hand, are bootloaders primarily used in embedded systems. U-Boot is a widely adopted bootloader supporting various architectures, while Barebox is an alternative designed for faster boot times and easier maintenance. The vulnerabilities span from integer and buffer overflows, to side-channel attacks and out-of-bounds read vulnerabilities. Some of the flaws could be used to execute arbitrary code, Microsoft said, whereas others would need physical access to the vulnerable device, or would need the device to be infected with malware beforehand. "While threat actors would likely require physical device access to exploit the U-boot or Barebox vulnerabilities, in the case of GRUB2, the vulnerabilities could further be exploited to bypass Secure Boot and install stealthy bootkits or potentially bypass other security mechanisms, such as BitLocker," Microsoft said. "The implications of installing such bootkits are significant, as this can grant threat actors complete control over the device, allowing them to control the boot process and operating system, compromise additional devices on the network, and pursue other malicious activities." "Furthermore, it could result in persistent malware that remains intact even after an operating system reinstallation or a hard drive replacement." All of the flaws now have a CVE assigned, and their severity is mostly "medium", with one being rated "high" - 7.8/10.

Microsoft's AI Finds Security Flaws in Bootloaders for Linux Systems

Microsoft discovered 11 security flaws in the GRUB2 bootloader Microsoft Security Copilot, an artificial intelligence (AI) cybersecurity tool, was used to discover several previously unknown vulnerabilities in open-source bootloaders. The Redmond-based tech giant recently revealed a list of the security flaws discovered in three commonly used bootloaders. One of the bootloaders is the default for many Linux-based systems, while the other two are typically used for embedded systems and Internet of Things (IoT) devices. Notably, Microsoft has informed the bootloader maintainers about the exploits, and they have released security updates to fix them. In a blog post, Microsoft detailed the discovery process and extent of risk with these vulnerabilities. The company used Security Copilot, an AI-powered security analysis tool that can assist in protecting organisations from threat actors as well as discovering security flaws. These vulnerabilities were detected in GRand Unified Bootloader (GRUB2), U-Boot, and Barebox, commonly used bootloaders for operating systems and devices. GRUB2 is the default bootloader for many Linux-based systems, whereas U-Boot and Barebox are generally seen in embedded systems and IoT devices. Notably, a bootloader is a small program that runs before the operating system (OS) starts. It is responsible for loading the OS into memory and initiating the boot process. By using AI, Microsoft Threat Intelligence discovered 11 vulnerabilities in GRUB2, including issues like integer overflows, buffer overflows, and a cryptographic side-channel flaw. These security flaws could allow threat actors to bypass the Unified Extensible Firmware Interface (UEFI) Secure Boot, which is designed to prevent unauthorised code from running during the boot process. Security Copilot also discovered nine vulnerabilities in U-Boot and Barebox. These were primarily buffer overflows that affected file systems such as SquashFS, EXT4, CramFS, JFFS2, and symlinks. Notably, the threat actor would need to have physical access to the device to exploit these flaws, however, the security risk still exists. In the case of GRUB2, Microsoft explained that the vulnerabilities could be exploited by attackers to install stealthy bootkits remotely. This is concerning, as such bootkits can persist even after reinstalling the operating system or replacing the hard drive. The teams behind GRUB2, U-Boot, and Barebox have already released security updates in February to address these vulnerabilities. Users are advised to update their systems to the latest versions to protect themselves from potential cyberattacks.