- ESET discovers 11 vulnerable UEFI shim bootloaders signed by Microsoft, allowing attackers to bypass secure boot and deploy malicious boot kits
- Any UEFI system trusting Microsoft’s 2011 third-party certificate could be exposed, potentially billions of devices; attackers can bring old trust holds to new systems
- Microsoft has revoked the vulnerable holds and users should apply the latest UEFI revocations (Windows, Linux automatic updates via LVFS) to block the exploit.
ESET cybersecurity experts have discovered 11 vulnerable UEFI shim bootloaders, all signed by Microsoft, that could allow malicious actors to exploit old vulnerabilities and bypass UEFI Secure Boot, deploying all sorts of malicious boot kits.
A shim is a small intermediate bootloader that functions as a bridge between a computer’s firmware (UEFI) and the operating system’s bootloader. Its main purpose is to allow operating systems to work with UEFI Secure Boot without Microsoft signing each Linux bootloader individually.
Any UEFI-based machine that trusts the Microsoft Corporation UEFI CA 2011 third-party UEFI Certificate Authority (CE) certificate, regardless of operating system, is considered vulnerable to shims (versions 0.9 and earlier). This would bring the number of potentially vulnerable devices into the billions, since almost all modern x86 PCs use UEFI firmware and most of them trust Microsoft Corporation’s UEFI CA 2011 certificate.
Revocation of holds
However, ESET reported its findings to CERT/CC and the vulnerable UEFI applications were all revoked.
The shims come from different tools such as PC diagnostic software, Linux distribution and other UEFI-based utilities, the researchers explained. They also added that since attackers can bring their own vulnerable wedges to any UEFI system with the third-party Microsoft UEFI certificate enrolled, they can exploit systems that are initially unaffected.
To block vulnerable wedges, users must apply Microsoft’s latest UEFI revocations, it was said. Although Windows systems probably do this automatically, users of Linux systems must do it through the Linux Vendor Firmware service.
“What makes these old holds dangerous is not a new vulnerability; is that no new vulnerabilities are needed to bypass UEFI Secure Boot,” explains ESET researcher Martin Smolár, who discovered the vulnerable wedges.
“An attacker doesn’t need complicated exploit primitives – just a copy of an old shim binary, still trusted but not revoked, and a basic understanding of how UEFI shims work. This is enough to bypass such an essential security feature as UEFI Secure Boot.”

The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.




