Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Compromised Logins Surge as the Most Common Entry Point for Ransomware

July 15, 2026

Eleven Vulnerable UEFI Shims Enable Secure Boot Bypass

July 15, 2026

AI Attacks Move in Minutes. Join This Webinar on Building a Defense That Keeps Up

July 15, 2026
Facebook X (Twitter) Instagram
Wednesday, July 15
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Eleven Vulnerable UEFI Shims Enable Secure Boot Bypass
News

Eleven Vulnerable UEFI Shims Enable Secure Boot Bypass

Team-CWDBy Team-CWDJuly 15, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Attackers could bypass UEFI Secure Boot on a wide range of systems thanks to 11 Microsoft-signed UEFI shim bootloaders carrying vulnerabilities that have remained buried for more than a decade, according to new findings from ESET.

ESET researchers reported the shims to the CERT Coordination Center (CERT/CC) in February 2026. All are versions 0.9 or below and were signed under Microsoft’s Microsoft Corporation UEFI CA 2011 third-party certificate, meaning any UEFI system that trusts that certificate will accept them regardless of the installed operating system.

Exploitation allows untrusted code to run during boot, opening the door to UEFI bootkits such as Bootkitty, HybridPetya and BlackLotus, even with Secure Boot switched on.

Old Code, No Exploit Needed

A shim is a small first-stage bootloader that Microsoft signs once, this allows Linux distributions boot under Secure Boot without submitting every update for signing. Crucially, an attacker can bring a vulnerable shim to any system carrying the Microsoft third-party certificate and boot from it.

The danger is less about any single bug than the outdated second-stage bootloaders each shim still trusts, mostly GRUB 2. Signing timestamps of the trusted binaries span 2013 to 2025, and older GRUB 2 builds carry well-documented flaws.

ESET demonstrated this with the shim from Oracle Linux, which trusts a GRUB 2 binary vulnerable to a 2015 flaw allowing unsigned code to load via crafted multiboot modules.

The attack needs no memory corruption or reverse engineering. It is enough for an attacker to build an unsigned kernel image, copy it alongside the old shim and GRUB 2 and load it with a single command at boot.

Bypassing the Newer Defenses

The shims also sidestep mechanisms built to catch this. Enforcement of the Machine Owner Key (MOK) denylist only arrived in version 0.9, so older shims ignore it, allowing an attacker to load binaries that an organization believed had been revoked.

The same gap applies to Secure Boot Advanced Targeting (SBAT), the version-based revocation system introduced in shim 15.3: earlier shims never check the SBAT policy.

The deeper problem is visibility, ESET warned. Shim submissions have been cataloged transparently only since 2017, and no one can say how many older, still-trusted shims remain in circulation.

Two CVE IDs, CVE-2026-8863 and CVE-2026-10797, cover the reported shims, and Microsoft revoked the vulnerable binaries in the dbx update shipped with its June 9 Patch Tuesday.

Read more on these fixes: Microsoft Fixes 200 CVEs in June Patch Tuesday 

Windows machines should update automatically, while Linux users can pull the revocation through the Linux Vendor Firmware Service.

“As the vulnerable shims are part of legitimate software packages that are potentially present on thousands of systems that have never been compromised via these loaders, we are not providing indicators of compromise to avoid massive misidentification,” ESET clarified.

“Instead, defenders should follow the advice in the Protection and detection section.”



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleAI Attacks Move in Minutes. Join This Webinar on Building a Defense That Keeps Up
Next Article Compromised Logins Surge as the Most Common Entry Point for Ransomware
Team-CWD
  • Website

Related Posts

News

AI Attacks Move in Minutes. Join This Webinar on Building a Defense That Keeps Up

July 15, 2026
News

Microsoft Patches 570 CVEs in Record Patch Tuesday

July 15, 2026
News

Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It

July 15, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

AI-powered financial scams swamp social media

September 11, 2025

Here’s how to avoid a ‘second strike’

April 11, 2026

2025’s most common passwords were as predictable as ever

January 21, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.