Microsoft discovered 20 flaws in open-source bootloaders with the assistance of Microsoft Security Copilot, the company announced in a blog post Monday.
The findings are a big step forward for Microsoft in its efforts to win over developers and administrators to its AI-enabled vulnerability discovery platform.
The security bugs found in GRUB2, U-boot and Barebox could potentially lead to the installation of bootkits that bypass Secure Boot, evading detection by security software and granting full control over the system.
The flaws were reported to the open-source maintainers and addressed with security updates in February 2025. GRUB2 is a bootloader commonly used on Linux systems, while U-boot and Barebox are commonly used in embedded systems.
Microsoft’s vulnerability discovery process began with investigation of GRUB2, which was noted to be susceptible to memory flaws due to the use of the C programming language. The team also focused on bootloaders due to the risks associated with running without the benefit of operating system security features.
The process combined traditional discovery methods, including static code analysis, manual code analysis and fuzzing, with assistance from Microsoft Security Copilot, which was prompted to identify bootloader functionalities that would be most prone to containing exploitable errors.
Using Copilot’s suggestions, the team narrowed their area of focus to filesystems and then asked Copilot to find potential security issues and include an exploitability analysis, then identify the five most pressing security issues to address.
While Copilot’s response included three false positives and one issue that was not exploitable, the remaining issue, an integer overflow, was determined to be a significant security vulnerability. From there, Copilot was prompted to look for similar patterns in other GRUB2 files, while manual analyses were also performed to avoid overlooking any false negatives.
Ultimately, Microsoft found 11 vulnerabilities in GRUB2 during this process, including flaws in several filesystems, two flaws related to commands and a cryptographic side-channel attack due to a non-constant time memory comparison.
The most severe vulnerability was given a high CVSS score of 7.8. Tracked as CVE-2025-0678, this flaw is an integer overflow when GRUB2 reads data from the Squash4 filesystem, and could lead to arbitrary code execution and bypass of Secure Boot protections.
“Leveraging AI like Security Copilot was invaluable in our research, saving us approximately a week’s worth of time by efficiently identifying and refining security issues in bootloader functionalities,” Jonathan Bar Or of the Microsoft 365 Defender Research Team wrote.
The four additional flaws in U-boot, and five in Barebox, were discovered when Copilot was asked to find similar code in other GitHub projects. While these additional flaws would likely require physical access to the embedded systems to exploit, their discovery emphasizes the vulnerable code can proliferate through the open-source supply chain, as U-boot and Barebox share significant code with GRUB2.
Microsoft’s discoveries come after Google announced last year that its Big Sleep AI agent assisted in the discovery of an exploitable bug in the open-source database engine SQLite. Both Microsoft and Google’s work emphasizes how AI is increasingly being leveraged to speed up the discovery of security issues in code, especially in open-source ecosystem.
