Microsoft: Microsoft’s Secure Boot has been broken for a decade and no one noticed until now

Microsoft: Microsoft’s Secure Boot has been broken for a decade and no one noticed until now

Microsoft’s Secure Boot Flaw Exposed: 13-Year-Old Shim Vulnerabilities Bypass Critical Protection

Researchers at ESET have uncovered a critical oversight in Microsoft’s Secure Boot implementation, revealing that a key protection mechanism has been trivially bypassable for nearly its entire existence. The flaw stems from 11 defective firmware "shims" signed by Microsoft between 2013 and the present that were never revoked despite known vulnerabilities.

Secure Boot, introduced in 2012, was designed to prevent bootkit infections by ensuring only trusted, digitally signed firmware loads during startup. However, ESET found that attackers can exploit these outdated, yet still-trusted, shims to completely disable the protection. The technique requires no advanced exploitation skills only access to one of the unrevoked shims and basic knowledge of UEFI mechanics.

The impact spans both Windows and Linux systems, as compromised shims can be installed on either OS. Once deployed, attackers can install malicious firmware that persists even after OS reinstalls or hard drive replacements, mirroring the tactics of high-profile bootkits like Russia’s LoJax (2018), China-linked MosaicRegressor (2020), and the recent BlackLotus (2023).

Microsoft’s failure to revoke the vulnerable shims despite their public availability has left devices exposed to a low-effort but high-impact attack vector, undermining a foundational security measure for over a decade.

Source: https://arstechnica.com/security/2026/07/microsoft-secure-boot-has-been-broken-for-most-of-its-existence/

Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security

"id": "mic1784141218",
"linkid": "microsoft-security",
"type": "Vulnerability",
"date": "7/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Users of Windows and Linux '
                                              'systems with Secure Boot '
                                              'enabled',
                        'industry': 'Software and Cloud Services',
                        'location': 'Global',
                        'name': 'Microsoft',
                        'size': 'Large Enterprise',
                        'type': 'Technology Company'}],
 'attack_vector': 'Firmware Shim Exploitation',
 'description': 'Researchers at ESET have uncovered a critical oversight in '
                'Microsoft’s Secure Boot implementation, revealing that a key '
                'protection mechanism has been trivially bypassable for nearly '
                'its entire existence. The flaw stems from 11 defective '
                "firmware 'shims' signed by Microsoft between 2013 and the "
                'present that were never revoked despite known '
                'vulnerabilities. Secure Boot, introduced in 2012, was '
                'designed to prevent bootkit infections by ensuring only '
                'trusted, digitally signed firmware loads during startup. '
                'However, attackers can exploit these outdated, yet '
                'still-trusted, shims to completely disable the protection. '
                'The technique requires no advanced exploitation skills—only '
                'access to one of the unrevoked shims and basic knowledge of '
                'UEFI mechanics. The impact spans both Windows and Linux '
                'systems, as compromised shims can be installed on either OS. '
                'Once deployed, attackers can install malicious firmware that '
                'persists even after OS reinstalls or hard drive replacements, '
                'mirroring the tactics of high-profile bootkits like Russia’s '
                'LoJax (2018), China-linked MosaicRegressor (2020), and the '
                'recent BlackLotus (2023). Microsoft’s failure to revoke the '
                'vulnerable shims despite their public availability has left '
                'devices exposed to a low-effort but high-impact attack '
                'vector, undermining a foundational security measure for over '
                'a decade.',
 'impact': {'brand_reputation_impact': 'Undermining foundational security '
                                       'measure',
            'operational_impact': 'Persistent malware installation bypassing '
                                  'Secure Boot',
            'systems_affected': 'Windows and Linux systems with Secure Boot '
                                'enabled'},
 'lessons_learned': 'Failure to revoke known vulnerable firmware shims can '
                    'undermine critical security mechanisms like Secure Boot, '
                    'leaving systems exposed to persistent malware for '
                    'extended periods.',
 'post_incident_analysis': {'root_causes': 'Microsoft’s failure to revoke 11 '
                                           'defective firmware shims signed '
                                           'between 2013 and the present, '
                                           'despite known vulnerabilities.'},
 'recommendations': 'Revoke all vulnerable shims immediately, enforce stricter '
                    'firmware signing policies, and implement automated '
                    'revocation processes for known defective components.',
 'references': [{'source': 'ESET Research'}],
 'response': {'third_party_assistance': 'ESET (researchers)'},
 'threat_actor': ['Russia (LoJax)',
                  'China (MosaicRegressor)',
                  'Unknown (BlackLotus)'],
 'title': 'Microsoft’s Secure Boot Flaw Exposed: 13-Year-Old Shim '
          'Vulnerabilities Bypass Critical Protection',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': 'Defective Secure Boot shims signed by Microsoft '
                            '(CVE not specified)'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.