Acer has released a BIOS update addressing a high-severity vulnerability, tracked as CVE-2022-4020, that could be exploited to enable UEFI Secure Boot deactivation on targeted devices, BleepingComputer reports.
Numerous Acer laptop models including Acer Aspire A115-21, A315-22, A315-22G, Extensa EX215-21, and EX215-21G are affected by the flaw identified by ESET researcher Martin Smolar, which could be leveraged by threat actors with escalated privileges to disable Secure Boot by altering the BootOrderSecureBootDisable NVRAM variable in low-complexity attacks.
"Researchers have identified a vulnerability that may allow changes to Secure Boot settings by creating NVRAM variables (actual value of the variable is not important, only the existence is checked by the affected firmware drivers)," said Acer.
While the BIOS update could be manually downloaded from Acer's support website, Acer will also be adding the update in an upcoming critical Windows update. Similar vulnerabilities were previously discovered by ESET researchers in various Lenovo laptop models, which have already been patched by the vendor.