Old UEFI Shims Allow Bypass of Secure Boot on Affected Systems

Old UEFI Shims Allow Bypass of Secure Boot on Affected Systems

First seen 14 Jul 2026, 16:28 UTC Feeds2.FeedburnerFeeds.4SysopsWelivesecurityCybersecuritynewswww.cve.org 88% similarity 70.5

Article Content

Browse articles
ThreatCluster

ESET researchers discovered 11 outdated UEFI shim bootloaders, all at version 0.9 or below, that can bypass UEFI Secure Boot protections on any UEFI-based machine trusting Microsoft's third-party certificate authority. These shims can execute untrusted code during system boot, enabling the deployment of malicious UEFI bootkits. The vulnerabilities were reported to CERT/CC in February 2026, and Microsoft revoked the affected shims on June 9, 2026, assigning CVE-2026-8863 and CVE-2026-10797 for tracking. Exploitation is not limited to specific operating systems, as attackers can introduce their own vulnerable shims to any compatible UEFI system. This situation highlights the risks posed by long-trusted but outdated software components in the boot process.

Key Points: • 11 vulnerable UEFI shim bootloaders can bypass Secure Boot protections. • Attackers can exploit these shims to execute untrusted code on any UEFI system. • Microsoft revoked the affected shims on June 9, 2026, following a report from ESET.

ThreatCluster AI

Timeline

2015-11-24
CVE-2015-5281 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2020-07-29
Public exploit for CVE-2020-10713 released
A proof-of-concept exploit appeared on GitHub, lowering the barrier for opportunistic attackers.
GitHub
2022-08-26
CVE-2022-34302 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2023-03-14
CVE-2023-28005 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2025-01-14
CVE-2024-7344 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-02-01
Vulnerabilities reported to CERT/CC
ESET researchers disclosed findings about vulnerable UEFI shims to CERT/CC, prompting further investigation.
Welivesecurity
2026-06-09
Microsoft revokes vulnerable UEFI shims
Microsoft issued a dbx update to revoke the affected UEFI shim bootloaders identified by ESET researchers.
Welivesecurity
2026-06-09
CVE-2026-8863 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-07-14
Public awareness of UEFI shim vulnerabilities
Multiple cybersecurity outlets reported on the vulnerabilities, emphasizing the risks of outdated UEFI shims.
Feeds.4Sysops

Community

Browse all →