Close Menu
    What's Hot

    ‘Piracy’: Will Trump’s 20 percent Hormuz toll find takers? | Conflict News

    The Pentagon Needs $1.5 Trillion

    Telegram’s shortlink domain is back online after day-long suspension

    Facebook X (Twitter) Instagram
    Trending
    • ‘Piracy’: Will Trump’s 20 percent Hormuz toll find takers? | Conflict News
    • The Pentagon Needs $1.5 Trillion
    • Telegram’s shortlink domain is back online after day-long suspension
    • The Federal Reserve and Bank of England have a trust deficit
    • Live Updates: Inflation Slows on Lower Energy Prices
    • Evaluating How Much More Upside Does Brookdale Senior Have (Technical Analysis) (NYSE:BKD)
    • England vs Argentina: Jamie Carragher believes Thomas Tuchel’s side can exploit Lionel Messi in their World Cup semi-final | Football News
    • 11 Old Microsoft-Signed Linux UEFI Shims Could Let Attackers Bypass Secure Boot
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    11 Old Microsoft-Signed Linux UEFI Shims Could Let Attackers Bypass Secure Boot

    adminBy adminJuly 14, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    11 Old Microsoft-Signed Linux UEFI Shims Could Let Attackers Bypass Secure Boot
    Share
    Facebook Twitter LinkedIn Pinterest Email

    11 Old Microsoft-Signed Linux UEFI Shims Could Let Attackers Bypass Secure Boot

    Cybersecurity researchers have discovered 11 old, Microsoft-signed, Unified Extensible Firmware Interface (UEFI) applications that could be abused to bypass Secure Boot on most systems using the modern firmware standard.

    “An attacker exploiting one of these vulnerable applications can execute untrusted code during system boot, enabling deployment of malicious UEFI bootkits or other malware,” ESET researcher Martin Smolár said in a report published today.

    The UEFI shim bootloaders expose any UEFI-based machine that trusts Microsoft’s “Microsoft Corporation UEFI CA 2011” third-party UEFI certificate authority (CA) certificate, irrespective of the installed operating system. The certificate is used to sign third-party boot components intended to run under Secure Boot. It expired as of June 27, 2026, and has been replaced by Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023.

    The shim is a lightweight, open-source UEFI bootloader that acts as an intermediary between a computer’s motherboard firmware and the Linux operating system. Its primary purpose is to allow Linux distributions to boot when Secure Boot is enabled. It’s worth noting that the shim itself is signed with a key trusted by the firmware, mostly a Microsoft signature, as its certificates come pre-installed on UEFI-based devices.

    Cybersecurity

    The sequence proceeds like this: the UEFI firmware loads the shim and validates its signature against the Microsoft CA stored in the firmware. The shim then validates the second-stage bootloader (in most cases, GRUB 2) against its own embedded vendor certificate. GRUB 2 finally validates the kernel using the same vendor certificate.

    The Slovak cybersecurity company said the outdated-but-trusted shims can be exploited to execute arbitrary code when the system boots up, allowing bad actors to deploy UEFI bootkits like Bootkitty, HybridPetya, or BlackLotus even when Secure Boot protections are enabled.

    The UEFI bootloaders of the open-source shim project, mainly from version 0.9 and earlier, have since been revoked by Microsoft as part of its June 2026 Patch Tuesday update following responsible disclosure earlier this February. The list of the impacted shim bootloaders is below –

    • Spyrus WTGCreator from UEFI shim loader (0.7 or lower)
    • RedHat RedHat Enterprise Linux (7.2) from UEFI shim loader (0.9)
    • RedHat CentOS (7.2) from UEFI shim loader (0.9)
    • Baramundi software baramundi Management Suite (up to 2024R1) from UEFI shim loader (0.8)
    • WhiteCanyon/Blancco WipeDrive (8.0.0 through 8.1.3) from UEFI shim loader (0.7)
    • Finland’s Matriculation Examination Board Abitti 1 (1.0) from UEFI shim loader (0.8)
    • NTC IT ROSA, LLC ROSA Linux (R10, R9) from UEFI shim loader (0.9)
    • Oracle America, Inc. OracleLinux (7.2) from UEFI shim loader (0.9)
    • PC-Doctor, Inc. PC Doctor Service Center (15, 16) from UEFI shim loader (0.9)
    • OpenSuse OpenSuse UEFI Shim loader (0.9)
    • OpenSuse OpenSuse Shim (2.1) from UEFI Shim loader (0.9)

    A consequence of this loophole is that an attacker could exploit these susceptible shim bootloaders to bypass newer security mechanisms by making use of the bring your own vulnerable driver (BYOVD) attack technique to run arbitrary code during the early boot phase, even before the operating system is initialized.

    Linux systems also come with a security feature called a Machine Owner Key (MOK) allowlist that lets users authorize unsigned drivers to be loaded while UEFI Secure Boot is active. Although a MOK denylist was introduced in shim version 0.9 as a way to revoke old signing certificates associated with a vulnerable UEFI binary and re-sign patched versions.

    In this context, an attacker could replace the victim’s up-to-date shim with an older Microsoft-signed UEFI shim and bypass MOK denylist enforcement by taking advantage of the fact that the allowlist still trusts the old certificate. This, in turn, could allow an attacker’s shim to load vulnerable binaries without restriction and obtain arbitrary code execution.

    That’s not all. The attack also subverts Secure Boot Advanced Targeting (SBAT), which is designed to revoke vulnerable boot components as opposed to maintaining a huge blocklist of individual cryptographic hashes corresponding to each file. Put differently, the mechanism is used to update the minimum acceptable generation whenever a vulnerability is discovered in a boot chain component. If an attempted boot uses an older, vulnerable version, the system blocks it and throws an error.

    The CERT Coordination Center (CERT/CC), in an advisory issued last month, said the vendor-specific bootloaders have not been updated to address vulnerabilities in the upstream project after they became publicly known and fixed.

    “As a result, vulnerable bootloaders remained signed and trusted by Secure Boot systems because they had not been revoked through the Microsoft-signed DBX revocation list,” it noted. “This created a long-term supply chain exposure in which outdated and vulnerable boot components could still be executed on fully patched systems.”

    Cybersecurity

    The result is that an attacker with administrative privileges or the ability to modify the boot process could abuse one of the above vulnerable shim bootloaders to bypass Secure Boot protections and execute arbitrary code before the operating system loads, paving the way for entrenched persistence that can survive operating system reboots and, in a few cases, its reinstallation.

    Because all this occurs before the operating system and security products are initialized, malicious code executed through the bootloaders can also sidestep detection by built-in security controls and endpoint detection and response (EDR) solutions.

    The issues are tracked under the CVE identifiers CVE-2026-8863 and CVE-2026-10797, with the latter referring to a long-patched issue in shim that allowed the certificate-based revocation mechanism to be bypassed by modifying the second-stage bootloader’s signature header.

    ESET has warned that the expiration of the “Microsoft Corporation UEFI CA 2011” certificate has no bearing on the Secure Boot verification process as long as the bootloaders signed with the expired certificate are not explicitly revoked by hash.

    “What makes these old shims dangerous is not a novel vulnerability, it’s that no new vulnerability is needed to bypass UEFI Secure Boot,” ESET said. “An attacker needs no complicated exploitation primitives – only a copy of an old, still-trusted, but unrevoked shim binary and a basic understanding of how UEFI shims work. That is enough to bypass such an essential security feature as UEFI Secure Boot.”

    Attackers boot Bypass Linux MicrosoftSigned secure Shims UEFI
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleBlanche Was a Driving Force in Retribution Campaign, Emails Show
    Next Article England vs Argentina: Jamie Carragher believes Thomas Tuchel’s side can exploit Lionel Messi in their World Cup semi-final | Football News
    admin
    • Website

    Related Posts

    U.S. Sanctions First VPN Service and Malware Cryptor Seller Over Ransomware Support

    July 14, 2026

    Grok Build Uploaded Entire Git Repositories to xAI Storage, Not Just Files It Read

    July 14, 2026

    Microsoft Maps Three Salesforce Attack Paths Tied to a Year of ShinyHunters Activity

    July 14, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    ‘Piracy’: Will Trump’s 20 percent Hormuz toll find takers? | Conflict News

    The Pentagon Needs $1.5 Trillion

    Telegram’s shortlink domain is back online after day-long suspension

    The Federal Reserve and Bank of England have a trust deficit

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by