CVE-2024-8105: CWE-321: Use of Hard-coded Cryptographic Key in Acer vz2694g
A vulnerability exists in UEFI implementations that use a hard-coded software-based Platform Key (PK). An attacker in possession of the corresponding PK private key can sign arbitrary UEFI executables or firmware components, causing them to be trusted by affected systems and potentially bypassing UEFI Secure Boot trust validation.
AI Analysis
Technical Summary
This vulnerability involves the use of a hard-coded cryptographic key (Platform Key) in the UEFI firmware of the Acer vz2694g. The presence of a hard-coded PK means that if an attacker obtains the private key, they can create malicious UEFI executables or firmware components that will be accepted as trusted by the Secure Boot mechanism. This undermines the integrity of the Secure Boot process, potentially allowing unauthorized code execution during system boot. The vulnerability is identified as CWE-321 (Use of Hard-coded Cryptographic Key). There is no vendor advisory indicating a patch or mitigation at this time.
Potential Impact
An attacker with access to the private Platform Key can bypass UEFI Secure Boot trust validation by signing malicious firmware or executables. This can lead to the execution of unauthorized code at boot time, compromising system integrity, confidentiality, and availability. The CVSS vector indicates the attack requires local access with high privileges and high attack complexity, but results in high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or workaround has been published by Acer or CERT at this time. Until a patch is available, organizations should limit access to systems to trusted personnel only and monitor for firmware integrity where possible.
CVE-2024-8105: CWE-321: Use of Hard-coded Cryptographic Key in Acer vz2694g
Description
A vulnerability exists in UEFI implementations that use a hard-coded software-based Platform Key (PK). An attacker in possession of the corresponding PK private key can sign arbitrary UEFI executables or firmware components, causing them to be trusted by affected systems and potentially bypassing UEFI Secure Boot trust validation.
CVSS v3.1
Score 6.4medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves the use of a hard-coded cryptographic key (Platform Key) in the UEFI firmware of the Acer vz2694g. The presence of a hard-coded PK means that if an attacker obtains the private key, they can create malicious UEFI executables or firmware components that will be accepted as trusted by the Secure Boot mechanism. This undermines the integrity of the Secure Boot process, potentially allowing unauthorized code execution during system boot. The vulnerability is identified as CWE-321 (Use of Hard-coded Cryptographic Key). There is no vendor advisory indicating a patch or mitigation at this time.
Potential Impact
An attacker with access to the private Platform Key can bypass UEFI Secure Boot trust validation by signing malicious firmware or executables. This can lead to the execution of unauthorized code at boot time, compromising system integrity, confidentiality, and availability. The CVSS vector indicates the attack requires local access with high privileges and high attack complexity, but results in high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or workaround has been published by Acer or CERT at this time. Until a patch is available, organizations should limit access to systems to trusted personnel only and monitor for firmware integrity where possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- certcc
- Date Reserved
- 2024-08-22T19:50:07.296Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://kb.cert.org/vuls/id/455367","vendor":"CERT"},{"url":"https://www.kb.cert.org/vuls/id/455367","vendor":"CERT"}]
Threat ID: 6a4185cd27e9c797198b6399
Added to database: 06/28/2026, 20:36:29 UTC
Last enriched: 06/28/2026, 20:51:16 UTC
Last updated: 06/28/2026, 23:06:59 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.