Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Old Microsoft UEFI Shims Pose Secure Boot Risk

Old Microsoft UEFI Shims Pose Secure Boot Risk

Posted on July 14, 2026 By CWS

Cybersecurity experts have identified a vulnerability involving 11 outdated Microsoft-signed UEFI applications, which could potentially allow attackers to bypass Secure Boot on systems using this firmware standard. Researchers from ESET highlighted the risk of these applications enabling the execution of untrusted code during system boot, thereby facilitating the deployment of UEFI bootkits or other types of malware.

Implications of Outdated UEFI Shims

The vulnerability affects machines that rely on Microsoft’s “Microsoft Corporation UEFI CA 2011” certificate authority, used for signing third-party boot components under Secure Boot. Despite the certificate’s expiration in June 2026, it has been replaced by newer certificates, yet older shims remain a risk. These shims, which allow Linux distributions to boot with Secure Boot enabled, were once signed with a Microsoft key trusted by the firmware.

Upon booting, the UEFI firmware loads the shim, validating its signature against the Microsoft CA. The shim then verifies the second-stage bootloader, commonly GRUB 2, which eventually checks the kernel using its embedded vendor certificate. However, attackers can exploit these trusted yet outdated shims to execute malicious code during the boot process, bypassing Secure Boot protections.

Vulnerable Shims and Potential Attacks

The Slovak cybersecurity firm points to several shims from versions 0.9 and earlier, which have been revoked by Microsoft following disclosures earlier this year. Affected shims include those used by RedHat, CentOS, and OracleLinux, among others. Attackers could use these shims to execute arbitrary code by exploiting the bring your own vulnerable driver (BYOVD) technique during early boot phases.

Linux systems feature a Machine Owner Key (MOK) allowlist to authorize unsigned drivers under Secure Boot. However, attackers could bypass this by using an older Microsoft-signed shim, which the allowlist still trusts, thereby loading vulnerable binaries unrestricted.

Mitigation and Future Outlook

Despite the introduction of Secure Boot Advanced Targeting (SBAT) to revoke vulnerable components, the mechanism still faces challenges. CERT Coordination Center (CERT/CC) noted that these vendor-specific bootloaders have not been updated post-vulnerability disclosure, resulting in a prolonged supply chain exposure.

Attackers with the ability to alter the boot process can exploit these vulnerabilities to bypass Secure Boot, executing code before the operating system loads. This can allow persistent malware to evade detection by security products and endpoint detection solutions.

Tracked under CVE identifiers CVE-2026-8863 and CVE-2026-10797, ESET warns that the expiration of the “Microsoft Corporation UEFI CA 2011” certificate does not impact Secure Boot verification unless the bootloaders signed with it are explicitly revoked by hash. The inherent risk lies in the continued trust of these old shims, which require no new vulnerabilities to compromise system security.

The Hacker News Tags:attack vector, Certificates, Cybersecurity, ESET, Firmware, Linux, Malware, Microsoft, Secure Boot, Secure Boot bypass, security risk, shim bootloaders, UEFI, Vulnerability

Post navigation

Previous Post: July 2026 SAP Security Updates Address Critical Flaws
Next Post: Critical Flaws in Claude for Chrome Allow Unauthorized Access

Related Posts

Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability The Hacker News
Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server The Hacker News
Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet The Hacker News
Chinese APT41 Exploits Google Calendar for Malware Command-and-Control Operations Chinese APT41 Exploits Google Calendar for Malware Command-and-Control Operations The Hacker News
FBI Alerts: Russian Hackers Phish WhatsApp, Signal Users FBI Alerts: Russian Hackers Phish WhatsApp, Signal Users The Hacker News
Fortinet, Ivanti, and SAP Issue Urgent Patches for Authentication and Code Execution Flaws Fortinet, Ivanti, and SAP Issue Urgent Patches for Authentication and Code Execution Flaws The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Enhancing SOC Efficiency: Cut Alert Overload & MTTR
  • Crypto Wallet Extensions’ Privacy Risks Uncovered
  • CISA Alerts on Cisco IOS Vulnerability Exploitation
  • Critical Fixes for VMware Avi Load Balancer Vulnerabilities
  • RabbitMQ Vulnerabilities Expose OAuth Secrets, Threaten Security

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Enhancing SOC Efficiency: Cut Alert Overload & MTTR
  • Crypto Wallet Extensions’ Privacy Risks Uncovered
  • CISA Alerts on Cisco IOS Vulnerability Exploitation
  • Critical Fixes for VMware Avi Load Balancer Vulnerabilities
  • RabbitMQ Vulnerabilities Expose OAuth Secrets, Threaten Security

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark