Full Report
Cybersecurity researchers have discovered 11 old, Microsoft-signed, Unified Extensible Firmware Interface (UEFI) applications that could be abused to bypass Secure Boot on most systems using the modern firmware standard. "An attacker exploiting one of these vulnerable applications can execute untrusted code during system boot, enabling deployment of malicious UEFI bootkits or other malware,"
Analysis Summary
# Vulnerability: Secure Boot Bypass via Microsoft-Signed UEFI Shim Applications
## CVE Details
- **CVE ID:** Not explicitly named in article (Refers generally to the shim project vulnerabilities disclosed in early 2026).
- **CVSS Score:** N/A (Historically, similar bootloader bypasses are rated **8.1 High**).
- **CWE:** CWE-347 (Improper Verification of Cryptographic Signature) / CWE-353 (Missing Support for Integrity Check).
## Affected Systems
- **Products:** UEFI-based systems trusting the "Microsoft Corporation UEFI CA 2011" certificate.
- **Versions:** Systems using the `shim` bootloader version 0.9 or earlier.
- **Configurations:** Any system where Secure Boot is enabled and the platform firmware trusts the Microsoft 3rd Party UEFI CA.
- **Specific Vendors Impacted:**
* RedHat (RHEL 7.2, CentOS 7.2)
* Oracle (Oracle Linux 7.2)
* OpenSuse (Shim versions 0.9 and 2.1)
* Spyrus (WTG Creator)
* Baramundi Management Suite (up to 2024R1)
* WhiteCanyon/Blancco WipeDrive (8.0.0 - 8.1.3)
* NTC IT ROSA (R9, R10)
* PC-Doctor Service Center (15, 16)
* Finnish Matriculation Examination Board (Abitti 1)
## Vulnerability Description
High-level researchers discovered 11 legacy Microsoft-signed UEFI shim bootloaders that contain security flaws. The `shim` is a first-stage bootloader designed to bridge the gap between Microsoft-signed firmware and Linux distributions. Because these older shims are still validly signed by a trusted Microsoft CA, an attacker can downgrade a system's bootloader to one of these vulnerable versions. Once loaded, the flaws in these shims allow the execution of unauthenticated code, effectively bypassing Secure Boot and Secure Boot Advanced Targeting (SBAT) protections.
## Exploitation
- **Status:** PoC concepts available; technique (BYOVD - Bring Your Own Vulnerable Driver/Binary) is well-documented in the wild.
- **Complexity:** Medium (Requires administrative/root privileges to modify the EFI System Partition).
- **Attack Vector:** Local (Most common) or Physical.
## Impact
- **Confidentiality:** Low (Persistence-focused).
- **Integrity:** **High** (Allows loading of malicious bootkits/kernels).
- **Availability:** Low.
## Remediation
### Patches
- **Microsoft June 2026 Patch Tuesday:** Microsoft has released Revocation List (DBX) updates to revoke the signatures of the 11 identified vulnerable shims.
- **Linux Distribution Updates:** Users should update to the latest provided `shim` versions (post-May 2026) which include improved SBAT metadata and MOK management.
### Workarounds
- **Update DBX Manually:** Users can manually apply UEFI Revocation List updates provided by motherboard manufacturers or OS vendors.
- **Certificate Transition:** Transition platform trust to the newer "Microsoft UEFI CA 2023" and remove trust for the "2011" CA if no legacy hardware/software requires it.
## Detection
- **Indicators of Compromise:** Presence of unauthorized or downgraded `shimx64.efi` files in the EFI System Partition (ESP).
- **Detection methods and tools:**
* Comparison of local shim hashes against the revoked hashes listed in the ESET report.
* Use of `mokutil --list-enrolled` to check for unexpected Machine Owner Keys.
* Monitoring for unauthorized writes to the `/boot/efi` directory.
## References
- **Vendor Advisory:** hXXps[://]www[.]welivesecurity[.]com/en/eset-research/forgotten-uefi-shims-undermining-secure-boot/
- **Microsoft Support:** hXXps[://]support[.]microsoft[.]com/en-US/servicing/os/secure-boot/2025/06/windows-secure-boot-certificate-expiration-and-ca-updates
- **Security News:** hXXps[://]thehackernews[.]com/2026/07/11-old-microsoft-signed-linux-uefi.html