Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

11 Old Microsoft-Signed Linux UEFI Shims Pave the Way for Exploitable Secure Boot Vulnerabilities


Researchers have discovered 11 old Microsoft-signed UEFI shims that could be abused to bypass Secure Boot on most systems using modern firmware standards. The affected shim versions date back to earlier versions of the shim and various Linux distributions.

  • The 11 old Microsoft-signed UEFI shims found in the Unified Extensible Firmware Interface (UEFI) shim bootloaders can be exploited to bypass Secure Boot protections on most systems.
  • The vulnerabilities are attributed to outdated shim versions and have been tracked under CVE identifiers CVE-2026-8863 and CVE-2026-10797.
  • Attackers only require a copy of an old, still-trusted, but unrevoked shim binary and basic understanding of UEFI shims to bypass UEFI Secure Boot.
  • The discovery highlights the importance of keeping up-to-date with latest security patches and firmware updates to prevent similar vulnerabilities.
  • The attack can subvert Secure Boot Advanced Targeting (SBAT) and exploit previously unknown flaws in shim bootloaders, posing significant threats to systems relying on UEFI Secure Boot.



  • A recent discovery by cybersecurity researchers has shed light on a previously unknown vulnerability in the Unified Extensible Firmware Interface (UEFI) shim bootloaders, which could be exploited to bypass Secure Boot protections on most systems. The vulnerability is attributed to 11 old Microsoft-signed UEFI shims that were not revoked as part of Microsoft's June 2026 Patch Tuesday update.

    The UEFI shim is a lightweight, open-source UEFI bootloader that acts as an intermediary between a computer's motherboard firmware and the Linux operating system. Its primary purpose is to allow Linux distributions to boot when Secure Boot is enabled. The shim itself is signed with a key trusted by the firmware, mainly a Microsoft signature, as its certificates come pre-installed on UEFI-based devices.

    The sequence of events unfolds like this: the UEFI firmware loads the shim and validates its signature against the Microsoft CA stored in the firmware. The shim then validates the second-stage bootloader (in most cases, GRUB 2) against its own embedded vendor certificate. Finally, GRUB 2 validates the kernel using the same vendor certificate.

    The Slovak cybersecurity company ESET researcher Martin Smolár noted that these old shims can be abused to execute arbitrary code during system boot, enabling deployment of malicious UEFI bootkits or other malware. The consequences of this loophole are far-reaching, as an attacker with administrative privileges or the ability to modify the boot process could abuse one of the above vulnerable shim bootloaders to bypass Secure Boot protections and execute arbitrary code before the operating system loads.

    The vulnerabilities in question are tracked under the CVE identifiers CVE-2026-8863 and CVE-2026-10797. The latter refers to a long-patched issue in shim that allowed the certificate-based revocation mechanism to be bypassed by modifying the second-stage bootloader's signature header.

    ESET warned that the expiration of the "Microsoft Corporation UEFI CA 2011" certificate has no bearing on the Secure Boot verification process as long as the bootloaders signed with the expired certificate are not explicitly revoked by hash. The core issue here is that no new vulnerability is needed to bypass UEFI Secure Boot; an attacker merely requires a copy of an old, still-trusted, but unrevoked shim binary and a basic understanding of how UEFI shims work.

    The attack also subverts Secure Boot Advanced Targeting (SBAT), which is designed to revoke vulnerable boot components as opposed to maintaining a huge blocklist of individual cryptographic hashes corresponding to each file. Furthermore, the CERT Coordination Center (CERT/CC) noted that vendor-specific bootloaders have not been updated to address vulnerabilities in the upstream project after they became publicly known and fixed.

    In light of these findings, it is clear that the vulnerability in question presents a significant threat to systems relying on UEFI Secure Boot. The attackers could exploit this susceptible shim bootloader to bypass newer security mechanisms by making use of the bring your own vulnerable driver (BYOVD) attack technique to run arbitrary code during the early boot phase, even before the operating system is initialized.

    The discovery highlights the importance of keeping up-to-date with the latest security patches and firmware updates. In this case, the affected shim versions are from 0.7 or lower, RedHat RedHat Enterprise Linux (7.2), RedHat CentOS (7.2), Baramundi software baramundi Management Suite (up to 2024R1), WhiteCanyon/Blancco WipeDrive (8.0.0 through 8.1.3), Finland's Matriculation Examination Board Abitti 1 (1.0), NTC IT ROSA, LLC ROSA Linux (R10, R9), Oracle America, Inc. OracleLinux (7.2), PC-Doctor, Inc. PC Doctor Service Center (15, 16), OpenSuse OpenSuse UEFI Shim loader (0.9), and OpenSuse OpenSuse Shim (2.1).

    The security implications of this vulnerability are significant, as an attacker could exploit these susceptible shim bootloaders to bypass newer security mechanisms by making use of the bring your own vulnerable driver (BYOVD) attack technique to run arbitrary code during the early boot phase, even before the operating system is initialized.

    In conclusion, the discovery highlights the importance of keeping up-to-date with the latest security patches and firmware updates. It serves as a reminder that no system or device is completely secure, and that security vulnerabilities can be exploited in creative ways.

    Researchers have discovered 11 old Microsoft-signed UEFI shims that could be abused to bypass Secure Boot on most systems using modern firmware standards. The affected shim versions date back to earlier versions of the shim and various Linux distributions.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/11-Old-Microsoft-Signed-Linux-UEFI-Shims-Pave-the-Way-for-Exploitable-Secure-Boot-Vulnerabilities-ehn.shtml

  • https://thehackernews.com/2026/07/11-old-microsoft-signed-linux-uefi.html

  • https://nvd.nist.gov/vuln/detail/CVE-2026-8863

  • https://www.cvedetails.com/cve/CVE-2026-8863/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-10797

  • https://www.cvedetails.com/cve/CVE-2026-10797/


  • Published: Wed Jul 15 03:33:36 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us