Vulnerability in Trusted System Recovery Programs

A vulnerability in trusted system recovery programs could allow privileged attackers to inject malware directly into the system startup process in Unified Extensible Firmware Interface (UEFI) devices.

Affected Recovery Products

Seven real-time recovery products — Howyar SysReturn, Greenware GreenGuard, Radix SmartRecovery, Sanfong EZ-back System, WASAY eRecoveryRX, CES NeoImpact, and SignalComputer HDD King — all make use of "reloader.efi," the Microsoft-signed Extensible Firmware Interface (EFI) file at issue.

The Problem

The problem, ESET explains in a new report, is that reloader.efi uses a custom loader that enables the application to load even unsigned binaries during the boot process. In essence, it’s a backdoor for sneaking any kind of file into a system’s startup.

UEFI Signing Requirements

Microsoft maintains a list of requirements for signing UEFI binaries, but the process is a bit obscure, according to Smolár. "I don’t know if it involves only running through this list of requirements, or if there are some other activities involved, like manual binary reviews where they look for not necessarily malicious, but insecure behavior," he says. Microsoft has previously alluded to UEFI binaries being "approved through manual review." Dark Reading has reached out to the company for more clarity on this point.

CVE-2024-7344 Discovery and Fix

ESET first discovered CVE-2024-7344 in July 2024. Since then, all vulnerable applications have been fixed, and Microsoft revoked the old, vulnerable binaries in its January 14, 2025, Patch Tuesday update.