Forgotten UEFI shims undermining Secure Boot
Award-winning news, views, and insight from the ESET security community
ESET Research
Forgotten UEFI shims undermining Secure Boot<br>ESET researchers discovered 11 vulnerable UEFI shim bootloaders signed by Microsoft that allow attackers to bypass UEFI Secure Boot by exploiting decade-old vulnerabilities
Martin Smolár
14 Jul 2026<br>•<br>20 min. read
ESET researchers identified 11 old and forgotten UEFI shim bootloaders at versions 0.9 and below that can be used to bypass UEFI Secure Boot on any UEFI-based machine that trusts Microsoft’s Microsoft Corporation UEFI CA 2011 third-party UEFI certificate authority (CA) certificate, regardless of the installed operating system (OS). Reported shims can be exploited to execute untrusted code during system boot, enabling attackers to deploy malicious UEFI bootkits (such as Bootkitty, HybridPetya, or BlackLotus) even on systems with UEFI Secure Boot enabled. We reported our findings to CERT/CC in February 2026, and the vulnerable UEFI applications were revoked on Microsoft’s June 9th, 2026 Patch Tuesday.
While two CVE IDs were assigned to this case to cover the reported shims, CVE-2026-8863 and CVE-2026-10797, exploitation of each reported shim is not just about a single bug or two that can be found in these old shims directly. In fact, the attack surface is extended by the shims’ trusted, second-stage bootloaders (mostly GRUB 2), which – like the shims themselves – may include outdated versions with known vulnerabilities. The discovered shims come from various tools or software packages, including PC-diagnostics software, Linux distributions, and other UEFI-based utilities. Importantly, exploitation is not limited to systems with the affected software or OS installed, as attackers can bring their own copy of the vulnerable shims to any UEFI system with the Microsoft third-party UEFI certificate enrolled.
The full list of the software products relying on the reported shims along with their affected versions is available in CERT/CC’s Vulnerability Note. In response to ESET researchers’ report, UEFI shim bootloaders with the following PE Authenticode hashes were revoked in the dbx update that was part of Microsoft’s June 9th Patch Tuesday:
AE75F0D82BA3DF824FBFC69340CC3B4D66C598373B1AB54CDB6C8BFD83A6B961
7B2A3F5C96F95BD8086CE54B0825E300F9C8F11FE3401BB631B3215C8DE9EB10
EB86FA1386FE6E4533B8B938DCC1250616D2F1C14C15E2FCF80834A161018A0A
FD23D6E57DE6F4E1F9D7118DA1C5F31A8AF6BE5E5D9E8170F9493447268D50C5
A0DE9333442C1BF9349A460141AE5E80F911955C6506040FA3D021BF6C1AE3E4
95B6D71FC0C0F8C5E1533A37AEF92CF6B0C961E2CC612A97117FA6759CE5FC06
236A9CB0D71951C36398A32EB660CE2CD4A52CCFA7CF751CC6A35D9DE549E19B
5E594C448760A3135B1A3A83E07A4F2E6FBE49414EF2C7CAB1CBA77F284FA63B
8A964D5F8373948D20A1D4296FB92E545DAD4617A0C810F3B934B53D98AE8963
410260B1B6F5AF5FBEEB9EA3220658435E876CB3247126EE907A437F312DB373
96275DFD6282A522B011177EE049296952AC794832091F937FBBF92869028629
Key points of this blogpost:
ESET researchers discovered 11 old, Microsoft-signed, UEFI applications that allow bypassing UEFI Secure Boot on the majority of UEFI-based systems.
An attacker exploiting one of these vulnerable applications can execute untrusted code during system boot, enabling deployment of malicious UEFI bootkits or other malware.
Exploitation is not limited to systems with the affected software or OS installed, as attackers can bring their own copy of the vulnerable binaries to any UEFI system with the Microsoft third-party UEFI certificate enrolled.
All UEFI systems with Microsoft third-party UEFI signing enabled are affected (Windows 11 Secured-core PCs should have this option disabled by default).
The vulnerable binaries were revoked by Microsoft in the June 9th, 2026 Patch Tuesday update.
Following is the coordinated disclosure timeline. We’d like to thank CERT/CC for its help in coordinating the vulnerability disclosure process, and the affected vendors for smooth and transparent communication and cooperation during the vulnerability disclosure and remediation process. To protect your systems against this threat, install the latest Microsoft dbx updates. Instructions on how to do that can be found in the Protection and detection section.
Coordinated disclosure timeline:
2026-02-16 – ESET reported the findings, along with a proof of concept, to CERT/CC.
2026-03-18 – dbx update and public disclosure date was set to May 19th, 2026 (Microsoft’s May Patch Tuesday).
2026-03-30 – dbx update and public disclosure date was postponed to June 9th, 2026 (Microsoft’s June Patch Tuesday).
2026-06-09 – Microsoft’s June Patch Tuesday update, CERT/CC Vulnerability Note published.
2026-07-14 – ESET blogpost published.
UEFI shim bootloader and UEFI Secure Boot
To understand the impact that such vulnerable shims can have on UEFI Secure Boot-protected systems, we need to understand how UEFI...