Microsoft: 'No new vulnerability is needed to bypass UEFI Secure Boot': Experts find attackers can exploit decades-old flaws to gain access to key systems

Microsoft: 'No new vulnerability is needed to bypass UEFI Secure Boot': Experts find attackers can exploit decades-old flaws to gain access to key systems

ESET Uncovers 11 Vulnerable UEFI Shim Bootloaders Signed by Microsoft, Enabling Secure Boot Bypass

Cybersecurity researchers at ESET have identified 11 vulnerable UEFI shim bootloaders all signed by Microsoft that could allow attackers to bypass Secure Boot and deploy malicious bootkits. These shims, versions 0.9 and older, act as intermediaries between a system’s firmware (UEFI) and the OS bootloader, originally designed to enable Secure Boot compatibility for Linux distributions without requiring individual Microsoft signatures.

The flaw affects any UEFI-based device trusting Microsoft’s Microsoft Corporation UEFI CA 2011 third-party certificate, a default setting in most modern x86 PCs. This could expose billions of devices across Windows, Linux, and other operating systems. Attackers can exploit the vulnerability by introducing old, trusted but unrevoked shims to otherwise secure systems, requiring no novel exploits only a copy of the vulnerable binary and basic UEFI knowledge.

ESET reported the issue to CERT/CC, prompting Microsoft to revoke the vulnerable shims. Users are advised to apply the latest UEFI revocations: Windows systems will typically update automatically, while Linux users should patch via the Linux Vendor Firmware Service (LVFS). The discovery underscores the risk of legacy components in critical security mechanisms, as even outdated but still-trusted code can undermine protections like Secure Boot.

Source: https://www.techradar.com/pro/security/no-new-vulnerability-is-needed-to-bypass-uefi-secure-boot-experts-find-attackers-can-exploit-decades-old-flaws-to-gain-access-to-key-systems

Microsoft TPRM report: https://www.rankiteo.com/company/microsoft

"id": "mic1784125827",
"linkid": "microsoft",
"type": "Vulnerability",
"date": "7/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Billions of users (UEFI-based '
                                              'devices)',
                        'industry': 'Software',
                        'location': 'Global',
                        'name': 'Microsoft',
                        'size': 'Large',
                        'type': 'Technology Company'},
                       {'customers_affected': 'Users of affected Linux '
                                              'distributions',
                        'industry': 'Software',
                        'location': 'Global',
                        'name': 'Linux Distributions',
                        'type': 'Open-Source Software'}],
 'attack_vector': 'UEFI Shim Bootloader',
 'customer_advisories': 'Users are advised to apply the latest UEFI '
                        'revocations.',
 'description': 'Cybersecurity researchers at ESET have identified 11 '
                'vulnerable UEFI shim bootloaders all signed by Microsoft that '
                'could allow attackers to bypass Secure Boot and deploy '
                'malicious bootkits. These shims, versions 0.9 and older, act '
                'as intermediaries between a system’s firmware (UEFI) and the '
                'OS bootloader, originally designed to enable Secure Boot '
                'compatibility for Linux distributions without requiring '
                'individual Microsoft signatures. The flaw affects any '
                'UEFI-based device trusting Microsoft’s *Microsoft Corporation '
                'UEFI CA 2011* third-party certificate, a default setting in '
                'most modern x86 PCs. This could expose billions of devices '
                'across Windows, Linux, and other operating systems. Attackers '
                'can exploit the vulnerability by introducing old, trusted but '
                'unrevoked shims to otherwise secure systems, requiring no '
                'novel exploits only a copy of the vulnerable binary and basic '
                'UEFI knowledge.',
 'impact': {'operational_impact': 'Potential deployment of malicious bootkits',
            'systems_affected': 'Billions of UEFI-based devices (Windows, '
                                'Linux, and other OS)'},
 'lessons_learned': 'The discovery underscores the risk of legacy components '
                    'in critical security mechanisms, as even outdated but '
                    'still-trusted code can undermine protections like Secure '
                    'Boot.',
 'post_incident_analysis': {'corrective_actions': 'Microsoft revoked the '
                                                  'vulnerable shims; users '
                                                  'must apply updates.',
                            'root_causes': 'Vulnerable UEFI shim bootloaders '
                                           '(versions 0.9 and older) signed by '
                                           'Microsoft were not revoked, '
                                           'allowing Secure Boot bypass.'},
 'recommendations': 'Users should apply the latest UEFI revocations: Windows '
                    'systems will typically update automatically, while Linux '
                    'users should patch via the Linux Vendor Firmware Service '
                    '(LVFS).',
 'references': [{'source': 'ESET Research'}, {'source': 'CERT/CC'}],
 'response': {'containment_measures': 'Microsoft revoked the vulnerable shims',
              'remediation_measures': 'Apply latest UEFI revocations (Windows '
                                      'updates automatically; Linux users '
                                      'patch via LVFS)',
              'third_party_assistance': 'ESET (research and disclosure)'},
 'title': 'ESET Uncovers 11 Vulnerable UEFI Shim Bootloaders Signed by '
          'Microsoft, Enabling Secure Boot Bypass',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': 'Secure Boot Bypass via vulnerable UEFI shim '
                            'bootloaders (versions 0.9 and older)'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.