ThinkPatternGet the app
Story
TECHNOLOGY · JUL 14, 2026

Microsoft Revokes UEFI Shims After ESET Finds Secure Boot Bypass

ESET researchers discovered 11 outdated Microsoft-signed UEFI shim bootloaders that allow attackers to bypass Secure Boot and deploy malicious bootkits on millions of devices.

Researchers at ESET discovered 11 outdated, Microsoft-signed UEFI shim bootloaders—versions 0.9 and below—that enable attackers to bypass UEFI Secure Boot protections. The vulnerability, tracked as CVE-2026-8863 and CVE-2026-10797, allows the execution of untrusted code during the early boot phase, facilitating the deployment of malicious bootkits such as BlackLotus and Bootkitty. These bootkits can persist even after operating system reinstalls or hard drive replacements.

The flaw affects nearly all UEFI systems trusting the Microsoft Corporation UEFI CA 2011 certificate, including various Linux distributions and software from vendors such as Red Hat, Oracle, and OpenSuse. However, most Windows 11 Secured-core PCs remain unaffected. The bypass does not rely on a new vulnerability but instead leverages old, unrevoked binaries and vulnerabilities in second-stage bootloaders, primarily GRUB 2, allowing attackers to sidestep Machine Owner Key (MOK) denylists and Secure Boot Advanced Targeting (SBAT) mechanisms.

ESET reported the findings to the CERT Coordination Center in February 2026. Microsoft revoked the affected binaries during its June 9, 2026, Patch Tuesday update. While Windows users generally receive these updates automatically, Linux users are advised to use the Linux Vendor Firmware Service to apply the necessary revocations. Despite Microsoft's action, the CERT Coordination Center warned that outdated vendor-specific bootloaders continue to create supply chain exposure.


Reported across 9 outlets
Actors
ESETMicrosoft CorporationCERT Coordination Center

Keep reading in the app

The full story and every source, free in the app.

Download on the App StoreComing soonGoogle Play