Skip to main content
Framework 13. Press here to pwn 
  • Vulnerability Disclosure

Framework 13. Press here to pwn 

Kieran Larking

15 Jul 2025 5 Min Read

TL;DR 

  • Framework is an advocate of the right to repair
  • They make modular, easy to repair and upgrade computers. 
  • The Framework 13 laptop BIOS can be completely bypassed via the anti-tamper switch. 
  • There is no vendor fix for this issue. 

Introduction 

BIOS protection is the digital equivalent of a locked front door, but what if the doorbell doubled as a reset button? 

The Framework 13 laptop has a chassis intrusion detection switch. It’s designed to notify the BIOS when the laptop body has been opened. However, the same switch can be manipulated to reset the BIOS. This wipes critical protections like the BIOS administrator password, along with important security options such as secure boot and even the chassis intrusion lockout itself! 

What was found? 

The laptop was configured with: 

  • A BIOS supervisor password 
  • Secure Boot enabled 
  • Chassis intrusion enabled 
  • Other custom BIOS configurations 

I opened the case and found the chassis intrusion switch, a small hardware button near the board:

  • The button was pressed for 2 seconds, then released for 2 seconds. 
  • This was repeated 10 times. 
  • The laptop remained plugged in the entire time. 
  • After this, on reboot, the BIOS had reset. 

Once the BIOS had been reset, I plugged in a USB with bootable Kali. With Kali’s suite of tools and programs designed as part of a hacker’s toolkit, this significantly increases the chances of data exfiltration from the hard drive or other components. 

What was disabled? 

The following important settings were cleared or reset: 

  • BIOS password. Now anyone can access or change firmware settings. 
  • Chassis intrusion. No prompt for supervisor password upon boot and chassis intrusion lights reset to off. 
  • Secure Boot. Turned off by default after reset. 
  • All other options on the BIOS were returned to default. 

Why it matters 

BIOS settings are the first line of defence in an enterprise environment, and we rely on this to help: prevent USB booting, enforce secure boot, protect management agents such as Intune and detect tampering with the device itself. This vulnerability bypasses all of that with nothing more than a screwdriver and a stopwatch. 

Modularity vs security 

Framework’s philosophy is built around modularity and repairability, and that’s a huge win for users, repair communities, and the right-to-repair movement. But this flexibility can become a liability if not paired with strong safeguards. 

In this case, the ability to easily access the internals (a key selling point), directly exposed a reset mechanism that wasn’t adequately locked down. The assumption seems to be that physical access equals authorised access, which just doesn’t hold in enterprise or shared environments. 

Disclosure timeline 

27/03/2025: Vulnerability discovered, details of how to reset the mainboard are found on the Framework Wiki: https://framewiki.net/guides/mainboard-reset 

Although there is no documentation of any vulnerability associated with this functionality. 

03/04/2025: Frameworks customer service email contacted about the vulnerability with a detailed explanation. 

04/04/2025: Framework customer service describes the issue as expected behaviour: 

“The behavior you described, where pressing the chassis intrusion button 10 times resets the BIOS to its default settings, functions as a method to perform a mainboard reset. 

The mainboard reset is intended to help troubleshoot and resolve issues such as misconfigured BIOS settings, corrupted firmware configurations, or other system-level problems that could prevent the laptop from functioning properly.” 

04/04/2025: Consultant thanks Framework for their response and politely lets them know that the security concern will be made public. 

15/04/2025: CVE request submitted to Mitre. 

I contacted Framework to report the issue and got this prompt reply: 

“Hi Kieran, 

Thank you for reaching out to Framework Support and bringing up your findings during your testing. 

The behaviour you described, where pressing the chassis intrusion button 10 times resets the BIOS to its default settings, functions as a method to perform a mainboard reset. 

The mainboard reset is intended to help troubleshoot and resolve issues such as misconfigured BIOS settings, corrupted firmware configurations, or other system-level problems that could prevent the laptop from functioning properly. While this feature is useful for recovery purposes, we understand your concerns about its potential security implications, particularly in situations involving physical access to the device. 

We take security very seriously and appreciate your detailed observations. If you have further questions or need further assistance, please feel free to reach out anytime. 

Thank you for contacting Framework Support, and please have a great day! 

Regards, 

Framework Support” 

Feature, not a bug 

So, Framework are saying that is intended functionality and not a vulnerability, which we’ve heard before

Conclusion 

Unfortunately, there is currently no fix from the vendor to remediate this vulnerability. However, the following precautions can be taken: 

  • Use Framework devices only in physically secure environments. 
  • Use anti-tamper stickers to show if the case has been opened. 
  • If you’re doing sensitive work, consider using a different device.

In a device built for user freedom, flexibility comes at the cost of security. While this BIOS reset feature may help recover from misconfiguration, it also opens the door to attackers.