CVE Tools
Back to feed
Ars Technica (Security) ·EN Restricted ResearchWindowsUEFI

Microsoft’s Secure Boot has been broken for a decade and no one noticed until now

By Dan Goodin··7 min read
CVE Tools coverage

Researchers at ESET have uncovered a critical flaw in Microsoft’s Secure Boot implementation, which has been vulnerable to bypass for over a decade due to unrevoked firmware 'shims' signed by the company. These shims, originally designed to support Linux and utility software, remain trusted despite known vulnerabilities and can be exploited to install malicious firmware on both Windows and Linux devices. The issue affects UEFI-based systems and highlights weaknesses in how Secure Boot is managed. Microsoft addressed the problem in its June 2026 update, but users are advised to verify their revocation status using tools like uefi-dbx-audit.