Cybersecurity experts have identified a vulnerability involving 11 outdated Microsoft-signed UEFI applications, which could potentially allow attackers to bypass Secure Boot on systems using this firmware standard. Researchers from ESET highlighted the risk of these applications enabling the execution of untrusted code during system boot, thereby facilitating the deployment of UEFI bootkits or other types of malware.
Implications of Outdated UEFI Shims
The vulnerability affects machines that rely on Microsoft’s “Microsoft Corporation UEFI CA 2011” certificate authority, used for signing third-party boot components under Secure Boot. Despite the certificate’s expiration in June 2026, it has been replaced by newer certificates, yet older shims remain a risk. These shims, which allow Linux distributions to boot with Secure Boot enabled, were once signed with a Microsoft key trusted by the firmware.
Upon booting, the UEFI firmware loads the shim, validating its signature against the Microsoft CA. The shim then verifies the second-stage bootloader, commonly GRUB 2, which eventually checks the kernel using its embedded vendor certificate. However, attackers can exploit these trusted yet outdated shims to execute malicious code during the boot process, bypassing Secure Boot protections.
Vulnerable Shims and Potential Attacks
The Slovak cybersecurity firm points to several shims from versions 0.9 and earlier, which have been revoked by Microsoft following disclosures earlier this year. Affected shims include those used by RedHat, CentOS, and OracleLinux, among others. Attackers could use these shims to execute arbitrary code by exploiting the bring your own vulnerable driver (BYOVD) technique during early boot phases.
Linux systems feature a Machine Owner Key (MOK) allowlist to authorize unsigned drivers under Secure Boot. However, attackers could bypass this by using an older Microsoft-signed shim, which the allowlist still trusts, thereby loading vulnerable binaries unrestricted.
Mitigation and Future Outlook
Despite the introduction of Secure Boot Advanced Targeting (SBAT) to revoke vulnerable components, the mechanism still faces challenges. CERT Coordination Center (CERT/CC) noted that these vendor-specific bootloaders have not been updated post-vulnerability disclosure, resulting in a prolonged supply chain exposure.
Attackers with the ability to alter the boot process can exploit these vulnerabilities to bypass Secure Boot, executing code before the operating system loads. This can allow persistent malware to evade detection by security products and endpoint detection solutions.
Tracked under CVE identifiers CVE-2026-8863 and CVE-2026-10797, ESET warns that the expiration of the “Microsoft Corporation UEFI CA 2011” certificate does not impact Secure Boot verification unless the bootloaders signed with it are explicitly revoked by hash. The inherent risk lies in the continued trust of these old shims, which require no new vulnerabilities to compromise system security.
