- ESET discovers 11 vulnerable UEFI shim bootloaders signed by Microsoft, allowing attackers to bypass secure boot and deploy malicious bootkits
- Any UEFI system that relies on the Microsoft 2011 third-party certificate could be exposed, potentially billions of devices; Attackers can push old trusted fixes into new systems.
- Microsoft has revoked the vulnerable fixes and users should apply the latest UEFI (Windows Automatic Updates, Linux over LVFS) reversals to block the exploit.
ESET cybersecurity experts have discovered 11 vulnerable UEFI shim bootloaders, all signed by Microsoft, that could allow threat actors to exploit old vulnerabilities and bypass UEFI secure boot, deploying all kinds of malicious bootkits.
A shim is a small intermediary bootloader that acts as a bridge between a computer’s firmware (UEFI) and the operating system’s bootloader. Its main goal is to allow operating systems to work with UEFI Secure Boot without Microsoft signing each Linux bootloader individually.
Any UEFI-based machine that relies on Microsoft Corporation’s third-party UEFI CA 2011 UEFI Certification Authority (CE) certificate, regardless of the operating system, was said to be vulnerable to the fixes (versions 0.9 and earlier). That would raise the number of potentially vulnerable devices to billions, since almost all modern x86 PCs use UEFI firmware, and most of them rely on Microsoft Corporation’s UEFI CA 2011 certificate out of the box.
Revoke shims
However, ESET reported its findings to CERT/CC and all vulnerable UEFI applications were revoked.
The researchers explained that the fixes come from different tools such as PC diagnostic software, Linux distribution, and other UEFI-based utilities. They also added that since attackers can bring their own vulnerable shims to any UEFI system with Microsoft’s third-party UEFI certificate enrolled, they can exploit systems that are initially unaffected.
To block the vulnerable wedges, users were said to apply the latest UEFI overrides from Microsoft. While Windows systems will most likely do this automatically, Linux system users should do this through the Linux Vendor Firmware Service.
“What makes these old shims dangerous is not a novel vulnerability; it’s that no new vulnerability is needed to prevent UEFI secure boot,” says ESET researcher Martin Smolár, who discovered the vulnerable shims.
“An attacker doesn’t need complicated exploit primitives: just a copy of an old, still trusted but not revoked shim binary and a basic understanding of how UEFI shims work. That’s enough to bypass a security feature as essential as UEFI Secure Boot.”

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.




