Are Framework BIOS versions vulnerable to the “Hydroph0bia” (CVE-2025-4275) secure boot bypass?
Links:
The Insyde advisory gives a list of H2O BIOS kernel versions with the fix, but I’m not sure how these correlate to Framework BIOS releases.
EDIT: Fixed the spelling of H2O, thanks @junaraga for the heads-up.
I can’t speak to answering your question directly. I would suggest that you write Framework customer support and ask your question there.
However, as with most of these vulnerabilities this one is something that the average user doesn’t need to stress about, provided they follow normal safe computing guidelines.
Primarily that they keep their computer within their control at all times (or at least reasonably so), and that they do not frequent illegitimate websites or use malicious content. (use software from legitimate sources, etc.)
Doing these two things will ensure that you are not likely to face an issue due to this problem.
And for a little more security password protect your bios.
That said, I’m sure that once changes are pushed to Framework’s bios vendor these vulnerabilities will be patched.
Um, I agree in general that many people don’t have a threat model that requires physical security or a Secure Boot root of trust. On the other hand, many people have good reasons for adopting a different threat model - or they want to use their computer in a work environment which has a policy around this.
Most laptop vendors patch Secure Boot compromises promptly and will make use of vendor coordinated disclosure where possible (as was the case here).
The researcher followed a co-ordinated disclosure process with Insyde so patches were already available to Insyde customers (presumably including Framework) before this vulnerability was publicly disclosed.
What I’d hoped to see from Framework was an indicative timeline or policy for integrating security fixes from upstream, rather than a vague list of security “best practices”.
If you want any type of formal statement, reach out to support. The community cannot provide you what you are seeking here. 
I’ve emailed support as suggested.
I’m honestly confused about the intended role of this forum as, for example, here’s the CEO of Framework responding to a different thread about a BIOS vulnerability. Here’s a Framework employee interacting constructively in a thread about another security-adjacent issue earlier this year. This relatively open attitude and availability of staff is one of the things I’d previously appreciated about the company.
We have validated this and found we are vulnerable. We are working with our BIOS vendor to get this patched and release fixes across our products.
Thanks for the update, Kieran. Much appreciated.
FWIW, support replied and directed me to this thread as well.
I wonder if business clients are keeping track of BIOS vulnerability resolution timeline as one of the KPIs to evaluate Framework suitability for their company.