Researchers Find 11 Microsoft-Signed UEFI Shims That Bypass Secure Boot
Updated
Updated · The Hacker News · Jul 11
Researchers Find 11 Microsoft-Signed UEFI Shims That Bypass Secure Boot
3 articles · Updated · The Hacker News · Jul 11
Summary
11 old Microsoft-signed UEFI shim bootloaders can still run on systems that trust the Microsoft Corporation UEFI CA 2011 certificate, letting attackers execute untrusted code before the operating system loads.
ESET said the risk comes from outdated but still-trusted shim versions—mainly 0.9 and earlier—which can be swapped in to defeat Secure Boot, MOK denylist checks and SBAT protections.
The flaw can enable UEFI bootkits such as BlackLotus, Bootkitty and HybridPetya, giving attackers with admin or boot-process access persistence that can survive reboots and sometimes OS reinstallation while evading EDR tools.
Microsoft revoked the affected shims in its June 2026 Patch Tuesday after disclosure in February, but CERT/CC said vendor-specific bootloaders had remained signed and trusted long after upstream fixes were available.
The issue, tracked as CVE-2026-8863 and CVE-2026-10797, shows that even the June 27, 2026 expiry of the old Microsoft UEFI CA 2011 certificate does not block vulnerable binaries unless they are explicitly revoked.
Are millions of PCs now permanently vulnerable to bootkits because a critical security deadline was missed?
How can Microsoft’s own signed files be used to defeat its most fundamental security feature?
2026 Secure Boot Crisis: Microsoft UEFI CA 2011 Certificate Expiration and the Global Bypass Vulnerability
Overview
In June 2026, ESET researcher Martin Smolár uncovered a major Secure Boot bypass vulnerability involving eleven older Microsoft-signed UEFI applications. This flaw allowed attackers to run untrusted code early in the boot process, potentially leading to dangerous malware infections. The issue affected any UEFI-based system trusting the Microsoft Corporation UEFI CA 2011 certificate, regardless of operating system. The discovery highlighted ongoing challenges in keeping the boot chain secure, especially since the vulnerability persisted even after the certificate expired, showing that simply relying on certificate expiration is not enough to protect systems.