The U.S. Cybersecurity and Infrastructure Safety Company (CISA), in coordination with the Nationwide Safety Company (NSA), has issued new steerage urging enterprises to confirm and handle UEFI Safe Boot configurations to counter bootkit threats.
Launched in December 2025 as a Cybersecurity Data Sheet (CSI), the doc addresses vulnerabilities like PKFail, BlackLotus, and BootHole that bypass boot-time protections. Enterprises neglecting these checks face heightened dangers from persistent firmware malware.
UEFI Safe Boot, launched in 2006, enforces boot insurance policies utilizing certificates and hashes in 4 variables: Platform Key (PK), Key Trade Key (KEK), allowed database (DB), and revocation database (DBX).
It prevents unsigned boot binaries, mitigating provide chain dangers through the transition from expiring 2011 Microsoft certificates to 2023 variations. Whereas default settings on most gadgets block unknown malware, misconfigurations usually from take a look at keys or disabled modes, expose techniques.
Highlighted Vulnerabilities
PKFail concerned gadgets shipped with untrusted take a look at certificates, enabling Safe Boot bypasses. BlackLotus (CVE-2023-24932) exploited bootloader flaws to disable enforcement regardless of standing indicators displaying it was energetic.
BootHole flaws in GRUB allowed arbitrary execution by way of malformed configs, overwhelming DBX reminiscence on older {hardware}. These incidents underscore the necessity for routine audits past TPM or BitLocker reliance.
Directors ought to first affirm enforcement: Home windows customers run Affirm-SecureBootUEFI in PowerShell (True signifies energetic); Linux customers use sudo mokutil –sb-state.
Export variables with Get-SecureBootUEFI or efi-readvar, then analyze utilizing NSA’s GitHub instruments for certs/hashes. Anticipated setups characteristic system vendor PK/KEK, Microsoft 2011/2023 CAs in DB, and DBX hashes no take a look at keys or permissive modes.
ComponentExpected Configuration Improper Indicators PKSystem vendor certificateAbsent or take a look at keysKEKVendor + Microsoft 2011/2023Missing Microsoft KEKsDBMicrosoft CAs + vendorEmpty or misplaced certsDBXRevocation hashesBoot hashes or duplicates
Restore by way of UEFI setup to manufacturing facility defaults or apply firmware/OS updates delivering capsules. For enterprises, combine checks into procurement testing and SCRM processes.
NSA advises customization over disabling for stricter controls, with instruments on GitHub. The steerage stresses full auditing modes and avoiding the Compatibility Help Module (CSM).
This CSI equips IT groups to safeguard boot integrity amid evolving threats. Obtain the total PDF from official sources for instructions and diagrams.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
