When you start up a computer, the manufacturer’s logo usually appears on the screen before the operating system loads. Although this feature was originally designed for hardware makers, regular users can also replace that default logo with a custom image.
The logo itself is stored in the UEFI (Unified Extensible Firmware Interface) firmware, which runs right after the machine is powered on. Unfortunately, this feature can be abused. Attackers are able to tamper with it and gain full control of the system — even remotely. This type of attack, known as LogoFAIL, was recently analyzed by researchers at Binarly. Before diving into the details, let’s first recall the threat posed by UEFI bootkits.
UEFI bootkits: malware that loads before the OS
In earlier PCs, the startup program was called BIOS (Basic Input/Output System). It was basic but essential — its job was to initialize hardware and then hand control over to the operating system. From the late 2000s, BIOS was gradually replaced with UEFI, a more advanced version that added features such as protection against unauthorized code execution.
One of UEFI’s most important defenses is Secure Boot, which uses cryptography to verify code at every step of the boot sequence. This makes it harder for attackers to swap legitimate code with malicious code. Still, Secure Boot does not completely eliminate risks. If hackers manage to inject malware — often called a bootkit — into UEFI, the consequences can be severe.
The biggest danger with UEFI bootkits is that they are almost invisible to the operating system. They can modify files, run malicious code with full privileges, and even survive a complete OS reinstallation or a hard drive replacement. Because they live in the firmware, not on the disk, they are frequently used in advanced targeted attacks — as shown in this study by our researchers.
What do images have to do with it?
Injecting malicious code into UEFI is not easy, thanks to its protections. However, flaws in the code can sometimes be exploited. That’s why Binarly researchers took a closer look at how UEFI handles logo images. To show the logo, UEFI runs a program that reads image files and displays them on screen. But what if that process is tricked into behaving unexpectedly?
There are three main UEFI vendors: AMI, Insyde, and Phoenix. Each handles image processing in a different way. Insyde uses separate handlers for different file formats like JPEG and BMP, while AMI and Phoenix use a single handler for all. Researchers found 24 critical vulnerabilities across these implementations. Here’s a video demonstration of one such exploit:
Demo of the LogoFAIL attack. Source
The logic is fairly simple: attackers can craft a malicious logo image. By tweaking properties such as resolution, they can force calculation errors in the handler code. As a result, image data spills into executable memory, which then runs with maximum privileges. In the demo above, the effect is relatively harmless — a text file being dropped on the Windows desktop. But with such access, attackers could take almost complete control of the system.
Interestingly, some manufacturers’ devices, including certain Apple laptops and Dell models, were unaffected. The reason: their UEFI firmware simply blocks logo replacement altogether.
What this means for businesses
In theory, the attack could even be carried out remotely. For instance, attackers could plant a malicious image into the EFI partition on disk, which would be processed during the next reboot. However, this already requires full system access. So why bother with LogoFAIL? The answer lies in persistence — ensuring malware survives even after reinstalling the OS. That persistence is extremely valuable for APT operators.
The long-term fix will come from firmware updates that patch vulnerable image parsers. Unfortunately, many organizations neglect UEFI updates, meaning a large number of devices may remain exposed. And the list of affected hardware includes not only laptops but also certain server motherboards. This makes Binarly’s findings especially important for enterprises to take seriously.