The ThinkPwn exploit is implemented as an UEFI application that needs to be executed from a USB flash drive by using the UEFI shell. This requires physical access to the targeted computer, which limits the kind of attackers who could use it.
However, Oleksiuk said that with more effort it would be possible to exploit the vulnerability from inside the running operating system, which means that it could be targeted through malware.
There are past examples where malware injected malicious code into the UEFI for increased persistence and stealth. For example, Italian surveillance software maker Hacking Team had a UEFI rootkit in its arsenal.
Sign up for CIO Asia eNewsletters.