Full Report
And it was Microsoft Copilot that unwittingly revealed the longstanding vulnerability
Analysis Summary
# Vulnerability: Surface SAM Firmware "Bricking" via Arbitrary Write
## CVE Details
- **CVE ID:** Not explicitly assigned in the report (Microsoft initially disputed the "practical threat" status).
- **CVSS Score:** Estimated 6.8 (Medium/High) - *Note: While the impact is total loss of availability, the requirement for Admin privileges and specific BIOS settings lowers the base score.*
- **CWE:** CWE-1284 (Improper Validation of Specified Quantity in Input), CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).
## Affected Systems
- **Products:** Microsoft Surface Family (Laptops and Tablets).
- **Versions:** Surface Laptop 3-6, Surface Book 1-3. (Surface Go and ARM variants are currently unconfirmed/not tested).
- **Configurations:** Vulnerable only if **Secure Core** and **Secure Boot** are disabled, allowing administrative userspace access to raw hardware interfaces.
## Vulnerability Description
The vulnerability exists in the System Aggregator Module (SAM) / Surface Aggregator Module (SSAM) embedded controller. The SAM implementation lacks a hardware-level interlock (like a physical jumper or button press) to prevent arbitrary writes to critical firmware regions.
The SAM Bus interleaves Read and Write Command IDs (CIDs) in the same numbering space without structural separation. When an application (in this case, a Python script generated by Microsoft Copilot) sends raw IOCTL commands (`SSAM_CDEV_REQUEST = 0xC028A501`) to enumerate features, it can inadvertently trigger "Write" commands with null or garbage payloads. This overwrites the UEFI and Secure Boot firmware stored in non-volatile memory, leading to a permanent failure to Power-On Self-Test (POST) upon the next reboot.
## Exploitation
- **Status:** PoC available (inadvertently created by Microsoft Copilot); reported in the wild as a "common complaint" in support forums.
- **Complexity:** Medium (Requires specific knowledge of SSAM IOCTL commands).
- **Attack Vector:** Local (Requires Administrator privileges to interact with hardware drivers).
## Impact
- **Confidentiality:** None.
- **Integrity:** Total (Firmware is overwritten with garbage data).
- **Availability:** Total (Permanent "bricking" of hardware; requires motherboard replacement).
## Remediation
### Patches
- Microsoft has been "quietly patching" firmware for affected Surface devices over a 90-day period leading up to June 2026. Users should ensure all Windows and Surface Firmware updates are applied via Windows Update.
- **Future Hardware:** Microsoft is transitioning to "Secure EC" and "Project Patina," which involve rewriting the embedded controller and UEFI DXE Core in **Rust** to enforce memory safety and better validation.
### Workarounds
- **Enable Secure Boot:** This is the primary defense, as it prevents the unauthorized modification of boot-critical code.
- **Enable Secure Core:** Integrated security features that prevent administrative userspace from tampering with the hardware/firmware interface.
## Detection
- **Indicators of Compromise:** Presence of Python scripts or unauthorized binaries attempting to send `0xC028A501` IOCTL requests to the Surface Aggregator.
- **Detection Methods:** Monitor for administrative elevation followed by direct hardware interface calls to the SAM driver. Post-exploit detection is marked by a device stuck on a black screen/Surface logo with no BIOS/UEFI access.
## References
- **Vendor Statement:** Microsoft Surface / MSRC (via The Register)
- **Technical Overview:** hXXps[:]//docs[.]kernel[.]org/driver-api/surface_aggregator/overview[.]html
- **Project Patina (Rust UEFI):** hXXps[:]//github[.]com/OpenDevicePartnership/patina
- **Windows Drivers in Rust (WDR):** hXXps[:]//github[.]com/microsoft/windows-drivers-rs