Eleven outdated but still-trusted bootloaders can be used to bypass UEFI Secure Boot - no new exploit required.
ESET researchers identified 11 UEFI shim bootloaders, all bearing valid Microsoft signatures, that contain known vulnerabilities in shim versions 0.9 and older. A shim is a small intermediary that lets Linux distributions boot on UEFI systems without Microsoft signing every individual bootloader. The problem: any attacker can carry one of these old, signed shims onto a target machine and use it to sidestep Secure Boot entirely. Because nearly every modern x86 PC trusts the Microsoft Corporation UEFI CA 2011 certificate out of the box, the exposure spans potentially billions of devices regardless of operating system. Microsoft has since revoked the vulnerable shims, and ESET reported the findings through CERT/CC.
The attack requires no novel exploit - just a copy of an old binary and a working knowledge of how UEFI shims operate. That low bar is the point: Secure Boot is supposed to be the last line of firmware-level defense against bootkits, malware that hides below the operating system where most security tools never look. If an attacker can neutralize it with a decade-old file they downloaded somewhere, the whole trust chain collapses.
Windows machines should receive the necessary UEFI revocations automatically; Linux users need to apply them manually via the Linux Vendor Firmware Service. This is the latest in a long line of shim-related Secure Boot bypasses - including the BlackLotus bootkit disclosed in 2023 - suggesting the revocation model that underpins Secure Boot continues to lag behind the threat.