Forgotten UEFI shims undermining Secure Boot
ESET researchers uncovered 11 outdated UEFI shim bootloaders (versions 0.9 or lower) that can be used to bypass UEFI Secure Boot on any system trusting the Microsoft Corporation UEFI CA 2011 certificate. Attackers could exploit these shims to execute untrusted code during boot, enabling malicious UEFI bootkits like Bootkitty, HybridPetya, or BlackLotus. The vulnerabilities were addressed in Microsoft's June 9th, 2026 Patch Tuesday update, which revoked the affected binaries. Two CVE IDs—CVE-2026-8863 and CVE-2026-10797—were assigned to track the issues.
ESET researchers identified 11 old and forgotten UEFI shim bootloaders at versions 0.9 and below that can be used to bypass UEFI Secure Boot on any UEFI-based machine that trusts Microsoft’s Microsoft Corporation UEFI CA 2011 third-party UEFI certificate authority (CA) certificate, regardless of the installed operating system (OS). Reported shims can be exploited to execute untrusted code during system boot, enabling attackers to deploy malicious UEFI bootkits (such as Bootkitty, HybridPetya, or BlackLotus) even on systems with UEFI Secure Boot enabled. We reported our findings to CERT/CC in February 2026, and the vulnerable UEFI applications were revoked on Microsoft’s June 9th, 2026 Patch Tuesday.…