Full Report
ESET researchers discovered 11 vulnerable UEFI shim bootloaders signed by Microsoft that allow attackers to bypass UEFI Secure Boot by exploiting decade-old vulnerabilities
Analysis Summary
# Vulnerability: Forgotten UEFI Shims Undermining Secure Boot
## CVE Details
- **CVE ID:** CVE-2026-8863 and CVE-2026-10797
- **CVSS Score:** Not explicitly listed in the article (UEFI Secure Boot bypasses typically range 6.5–8.2)
- **Severity:** High
- **CWE:** CWE-20 (Improper Input Validation) / CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) in second-stage loaders; general Secure Boot Bypass.
## Affected Systems
- **Products:** UEFI-based machines (PCs, laptops, servers) that trust the "Microsoft Corporation UEFI CA 2011" third-party certificate.
- **Versions:** 11 specific UEFI shim bootloaders at versions 0.9 and below. Affected distributions include various Linux distros, PC diagnostic tools, and UEFI utilities.
- **Configurations:** All systems with Microsoft third-party UEFI signing enabled.
- *Note:* Windows 11 "Secured-core" PCs usually have this CA disabled by default and are less susceptible.
## Vulnerability Description
ESET researchers discovered vintage UEFI shim bootloaders (v0.9 and older) that were signed by Microsoft but contain decade-old vulnerabilities. These shims act as first-stage loaders that verify and execute a second-stage loader (typically GRUB 2). Because these shims are outdated, they fail to properly validate the second-stage loader or contain vulnerabilities that allow an attacker to execute untrusted, unsigned code during the boot process. This breaks the Chain of Trust required for Secure Boot.
## Exploitation
- **Status:** PoC available (developed by ESET); can be used to deploy known bootkits such as BlackLotus, Bootkitty, or HybridPetya.
- **Complexity:** Medium
- **Attack Vector:** Local (An attacker can "Bring Your Own Vulnerable Binary" to a target system, even if the affected software isn't installed).
## Impact
- **Confidentiality:** High (Full system access prior to OS kernel loading)
- **Integrity:** High (Ability to modify the OS, kernel, and security software)
- **Availability:** High (Potential for persistent system bricking or denial of service)
## Remediation
### Patches
- **Microsoft DBX Update:** Apply the June 9th, 2026 Patch Tuesday updates. This update adds the PE Authenticode hashes of the 11 vulnerable shims to the "Forbidden Signature Database" (dbx), preventing them from executing.
### Workarounds
- **Disable Third-Party CA:** In UEFI/BIOS settings, disable the "Microsoft UEFI CA" if not required for your specific OS/hardware needs.
- **Enabled Secured-core:** Ensure "Secured-core" features are active on supported Windows 11 hardware.
## Detection
- **Indicators of Compromise:** ESET is not providing specific IoCs to avoid false positives, as these shims are part of legitimate (though outdated) software packages.
- **Detection methods:**
- Audit the UEFI `dbx` variable to ensure the June 2026 revocations are present.
- Monitor for unexpected files in the EFI System Partition (ESP).
- Use tools to verify the integrity of the boot chain and check for "out-of-band" shims being loaded.
## References
- **ESET Research:** hxxps[://]www[.]welivesecurity[.]com/en/eset-research/forgotten-uefi-shims-undermining-secure-boot/
- **CERT/CC Vulnerability Note:** hxxps[://]kb[.]cert[.]org/vuls/id/616257
- **Microsoft Security Update Guide:** hxxps[://]msrc[.]microsoft[.]com/update-guide/releaseNote/2026-Jun