[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f42eB-kwMM5xIdJqjGmW7Y3Cfg5yoxjKx3HUdhwAmYLA":3},{"article":4,"iocs":39},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"64f92c42-e3f7-493e-8744-edfc34a7f7db","Old UEFI Shims Expose Systems to Secure Boot Bypass","old-uefi-shims-expose-systems-to-secure-boot-bypass-1b9ed6","Signed by Microsoft, the vulnerable UEFI shim bootloaders could be abused on any system, regardless of the OS. The post Old UEFI Shims Expose Systems to Secure Boot Bypass appeared first on SecurityWeek.","ESET discovered 11 old, Microsoft-signed UEFI shim bootloaders (primarily version 0.9 and earlier) that can be exploited to bypass Secure Boot protections on any UEFI-based system. The vulnerable shims remained trusted despite known vulnerabilities and were only revoked by Microsoft in June 2026. Attackers could use these shims to execute untrusted code during boot and deploy bootkits regardless of Secure Boot enablement.","Microsoft-signed UEFI shim bootloaders allow Secure Boot bypass on any UEFI system.","Nearly a dozen Unified Extensible Firmware Interface (UEFI) shim bootloaders signed by Microsoft allow attackers to bypass Secure Boot protections, ESET warns. Small, trusted pieces of software bridge a computer motherboard’s UEFI firmware and the operating system, typically a Linux distribution, enabling the machine to boot with Secure Boot enabled. By using Microsoft-signed UEFI shim bootloaders, Linux distributions can establish a trust model without requiring individual keys to be built into the motherboard’s NVRAM. The shims allow bootloaders, kernels, and other components to run during Secure Boot. While various vulnerabilities have been addressed in the open source shim project over time, not all vendors updated their bootloaders, and these older shims remained signed and trusted within the Secure Boot chain, exposing systems to potential attacks. According to ESET, 11 such old, forgotten UEFI shims, primarily from version 0.9 and earlier, lingered around until revoked by Microsoft on June 2026 Patch Tuesday. Two CVEs were assigned, namely CVE-2026-8863 and CVE-2026-10797. The vulnerable shims, ESET says, could be exploited to “bypass UEFI Secure Boot on any UEFI-based machine that trusts Microsoft’s Microsoft Corporation UEFI CA 2011 third-party UEFI certificate authority (CA) certificate, regardless of the installed operating system (OS).”Advertisement. Scroll to continue reading. Coming from various tools and packages, these shims extend the attack surface through their trusted second-stage bootloaders. Additionally, attackers could bring their own vulnerable shims to systems that have enrolled the Microsoft third-party UEFI certificate. “Signing and compilation timestamps of the applications trusted by the shims we reported span from 2013 to 2025 – enough to confirm that a significant portion of these binaries were old and likely affected by numerous publicly known vulnerabilities, [such as] BootHole in the case of GRUB2,” ESET notes. Continuous trust in these old, vulnerable shims allows attackers to execute untrusted code during the boot process and deploy bootkits even if Secure Boot is enabled. ESET reported the findings to CERT\u002FCC in February 2026. In June, Microsoft revoked all vulnerable applications and added them to the UEFI DBX (Forbidden Signature Database). According to CERT\u002FCC, system admins should update the signature database (DB) before applying DBX revocations. “In practice, this means updating trusted boot applications and certificates first, followed by deployment of the revocation list. Failure to follow this order may cause systems to reject newly updated boot components. Enterprises, virtualization providers, and cloud operators managing large-scale deployments should prioritize validation and deployment of these updates to prevent the execution of vulnerable or unsigned binaries during physical or virtual machine startup,” CERT\u002FCC notes. Since 2017, shims have been signed and documented after a vetting process, but those approved before then are not documented, and many old, still-trusted shims may remain, potentially exposing systems to attacks. Related: New Exploit Bypasses Apple’s Boot Defenses, Affects Millions of iPhones Related: Nightmare Eclipse Drops ‘LegacyHive’ Windows Zero-Day Related: Trend Micro, Tanium, ESET and Tenable Patch Severe Product Vulnerabilities Related: Unpatched Cursor Vulnerability Exposes Users to Code Execution Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Progress Confirms Zero-Day Vulnerability Behind ShareFile DisruptionCritical Vulnerabilities Patched With Fresh Chrome 150, Firefox 152 UpdatesMicrosoft Patches Record 622 Vulnerabilities, Including Two Exploited Zero-DaysAdobe Patches Critical ColdFusion VulnerabilitiesSAP Patches Critical Vulnerabilities in NetWeaver, Approuter, Commerce CloudUS, Allies Warn of Russian Cyberattacks Targeting Critical Infrastructure RoutersMultiple Jscrambler Packages Impacted by Supply Chain AttackRabbitMQ Vulnerability Threatens Enterprise Systems Latest News Nightmare Eclipse Drops ‘LegacyHive’ Windows Zero-Day Trend Micro, Tanium, ESET and Tenable Patch Severe Product VulnerabilitiesUnpatched Cursor Vulnerability Exposes Users to Code ExecutionCISA Urges Immediate Patching of Exploited SharePoint VulnerabilitiesWindows Bind Link Attacks Can Hide Malware From EDR ToolsVirtual Event Today: Cloud & Data Security SummitUS Charges Russian Individuals and Firms for Running Cybercrime ServicesVulnerabilities Patched by Fortinet, Ivanti, ServiceNow Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 15, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveN-able has appointed Russell Rosa as Chief Revenue Officer.Stacy O'Mara has joined Armadin as Chief Policy Officer and Director of Global Government Affairs.F5 has appointed Cathy Peterman as Chief People Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email","https:\u002F\u002Fwww.securityweek.com\u002Fold-uefi-shims-expose-systems-to-secure-boot-bypass\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2024\u002F06\u002FUEFI-chip-BIOS.jpeg","2026-07-16T07:59:22+00:00","2026-07-16T08:00:18.147136+00:00",9,[18,21,23,26,28,31],{"name":19,"type":20},"Microsoft","vendor",{"name":22,"type":20},"ESET",{"name":24,"type":25},"UEFI","technology",{"name":27,"type":25},"Secure Boot",{"name":29,"type":30},"GRUB2","product",{"name":32,"type":25},"UEFI DBX","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":33,"icon":35,"name":36,"slug":37},null,"Vulnerabilities","vulnerabilities",[],[40,44,46],{"type":41,"value":42,"context":43},"cve","CVE-2026-8863","UEFI shim Secure Boot bypass vulnerability",{"type":41,"value":45,"context":43},"CVE-2026-10797",{"type":41,"value":47,"context":48},"CVE-2020-10713","BootHole vulnerability affecting GRUB2, mentioned as example of vulnerabilities in old shims"]