Old UEFI Shims Exploit Bypass of Secure Boot Security

Old UEFI Shims Exploit Bypass of Secure Boot Security

First seen 14 Jul 2026, 16:28 UTC Feeds2.FeedburnerFeeds.4SysopsCybersecuritynewsWelivesecurityFeeds.Feedburner+2 89% similarity 70.5

Article Content

Browse articles
ThreatCluster

ESET researchers have discovered 11 outdated UEFI shim bootloaders, all version 0.9 or below, that can bypass UEFI Secure Boot protections on systems trusting Microsoft's 2011 certificate. These vulnerabilities allow attackers to execute untrusted code during the boot process, enabling the deployment of UEFI bootkits like Bootkitty and BlackLotus. The shims were reported to CERT/CC in February 2026 and were revoked by Microsoft on June 9, 2026, under CVE-2026-8863 and CVE-2026-10797. The attack method relies on the 'bring your own vulnerable driver' technique, allowing exploitation regardless of the installed operating system. The vulnerabilities stem from outdated second-stage bootloaders, primarily GRUB 2, which contain known flaws. This situation affects various Linux distributions and software from major vendors, posing a significant risk to systems that have not updated their firmware. The lack of visibility into older shims complicates remediation efforts.

Key Points: • Eleven outdated UEFI shims can bypass Secure Boot on systems trusting Microsoft's certificate. • Attackers can exploit these shims to run untrusted code and deploy bootkits. • Microsoft revoked the vulnerable shims on June 9, 2026, following a report from ESET.

ThreatCluster AI

Timeline

2015-11-24
CVE-2015-5281 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2020-07-29
Public exploit for CVE-2020-10713 released
A proof-of-concept exploit appeared on GitHub, lowering the barrier for opportunistic attackers.
GitHub
2022-08-26
CVE-2022-34302 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2023-03-14
CVE-2023-28005 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2025-01-14
CVE-2024-7344 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-02-01
ESET reports vulnerabilities to CERT/CC
ESET disclosed the existence of 11 vulnerable UEFI shim bootloaders to CERT/CC, highlighting their potential for exploitation.
Welivesecurity
2026-06-09
Microsoft revokes vulnerable UEFI shims
Microsoft issued a dbx update to revoke the 11 identified vulnerable UEFI shim bootloaders, addressing the security risks.
Infosecurity-Magazine
2026-06-09
CVE-2026-8863 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-07-15
Security experts warn of ongoing risks
Experts emphasize that many systems may still be vulnerable due to the presence of older, unrevoked shims.
Feeds2.Feedburner

Community

Browse all →