Linux Flaw Allows Hackers to Bypass Secure Boot with a USB stick

Like Windows and macOS, Linux distributions also have important security measures, such as disk encryption and secure boot, which help protect your computer from external threats, especially viruses and malware.

These defenses work very well at the software level and keep you protected most of the time. But there is one important detail: when someone has physical access to your computer, things get complicated. And that's where a critical vulnerability that has just been discovered in Linux comes into play.

This flaw affects modern distros such as Ubuntu, Fedora, and others that use debug shells, allowing attackers to infect your system with persistent malware that can steal information or even destroy the operating system from within, without you even noticing.

Below, we explain how this threat works, why it is so worrying, and, most importantly, what you can do to protect your computer.

New cyberattack on Linux from USB: Malware installed without you noticing

This new type of physical attack is putting Linux users at risk: a simple USB stick can install persistent malware on your system without you knowing.

The person responsible for sounding the alarm is Alexander Moch, a security researcher at ERNW, who discovered a dangerous vulnerability (identified as CVE-2025-3052) that allows attackers to bypass both disk encryption and secure boot on several Linux distributions.

And that's not all: even tools such as GRUB, which normally protect the system boot with a password, are not enough to stop this type of attack.

How does the attack work?

According to Moch, the attack begins when an attacker connects a modified USB drive to a vulnerable computer. The drive contains an altered initramfs file, which allows arbitrary scripts to be executed during system startup.

The most worrying thing is that this process does not modify the official kernel signatures, so the system continues to believe that everything is in order. This means that the malware installs without raising suspicion and runs the next time you start and unlock your computer.

Step-by-step guide to the physical USB attack

The procedure, although it sounds technical, is relatively simple for someone with knowledge. Here's how it works:

1. The attacker connects the USB to the powered-off computer.

2. During startup, they press Esc, followed by Ctrl+C three times.

3. They wait a few seconds and then repeat Ctrl+C six times to access the console.

4. From there, the system has already loaded the modified initramfs that injects the malware in the background.

This allows the attacker to take control of the system without the need for passwords or additional interaction.

Read more: Operating Systems Preferred by Hackers: Beyond Windows

Affected Linux Distributions

The most affected distributions so far are:

1. Ubuntu 25.04

2. Fedora 42

3. Other distros based on them that use debug shells during startup.

It cannot be ruled out that other versions or distributions may also be vulnerable if they use similar configurations.

What does the installed malware do?

Once inside, the malware can do quite a bit of damage:

1. It steals passwords and personal data.

2. It installs keyloggers to record what you type.

3. It accesses sensitive information.

4. It takes complete control of the system.

5. It can even completely break your Linux installation.

Furthermore, because it is persistent, it does not disappear after rebooting and is not easily removed.

Read more: NimDoor: Malware for macOS that reinstalls itself after being removed

Why is this vulnerability so serious?

The most worrying thing is that this attack bypasses the main Linux security measures: disk encryption, Secure Boot, and password protection in GRUB. All of that becomes useless if someone can physically access your computer with a malicious USB drive.

And since everything happens before the operating system is fully loaded, neither antivirus software nor firewalls can do anything. The attack acts at the lowest level of the system.

How can you protect yourself from the Secure Boot flaw in Linux?

If you are using Linux and are concerned about the recent vulnerability related to Secure Boot, there are several measures you can take right now to strengthen your system's security and prevent an attacker from compromising it through boot.

One of the most effective, according to experts, is to make a small adjustment to the kernel parameters. Basically, this involves preventing the system from accessing a debug shell if something goes wrong during boot. How do you do this? It's very easy:

1. On Ubuntu-based systems, add: panic=0

2. On distributions such as Red Hat, add: rd.shell=0 rd.emergency=halt

This change causes the system to shut down completely in the event of an error, rather than opening a console that an attacker could use to inject malicious code.

Strengthen boot and disk encryption

In addition to the kernel setting, there are other steps you can take to further secure your computer:

1. Enable the password in the boot loader (GRUB). This way, every time someone tries to modify the boot options or access recovery mode, a password will be required.
   
   
2. Encrypt the entire hard drive, including the boot partition. You can use tools such as LUKS to encrypt the disk or boot partition if you are using SSD. This prevents the attacker from accessing the data even if they have physical access.
   
   
3. Check and block USB booting in the BIOS/UEFI, and protect this setting with a password.

In summary: although this flaw is serious, there are practical and effective ways to protect your Linux computer today. Sometimes, a couple of lines in the configuration can make the difference between being exposed or staying one step ahead of attackers.