AI & TechBigTech CompaniesCybersecurityNewswireTechnology

Microsoft’s Secure Boot flaw exposed after a decade unnoticed

Originally published on: July 15, 2026
▼ Summary

– Microsoft’s Secure Boot has been trivially bypassable for 13 of its 14 years using old, unrevoked shim firmware images.
– ESET researchers discovered at least 11 defective firmware images, some from 2013, that remained signed by Microsoft despite known vulnerabilities.
– The bypass works by exploiting old shims, originally created to extend Secure Boot to Linux, using a technique simple enough for novice hackers.
– The threat affects both Windows and Linux users, allowing attackers to install persistent malicious firmware that survives OS reinstallation.
– Secure Boot was introduced in 2012 to prevent bootkits, which have been used by state hackers and other groups in real-world attacks since 2018.

For over a decade, a foundational security standard designed to protect both Windows and Linux machines from firmware-level attacks has been easily bypassed. Researchers at cybersecurity firm ESET uncovered that Microsoft’s Secure Boot, an industry-wide protocol introduced in 2012, has been vulnerable for 13 of its 14 years due to a simple oversight: the company never revoked known defective firmware images.

The issue revolves around shims, small software components Microsoft created to extend Secure Boot capabilities to Linux systems and utility programs. ESET identified 11 such firmware images, with at least one dating back to 2013, that remained digitally signed by Microsoft despite being publicly known as flawed. These old, forgotten shims allow attackers to completely circumvent Secure Boot’s protection, which is embedded in a device’s UEFI (Unified Extensible Firmware Interface) on the motherboard. The technique is so straightforward that even novice hackers can execute it.

The vulnerability affects both Windows and Linux users because the shim can be installed on either operating system. Once deployed, an attacker can break the mandated chain of digitally signed firmware to install malicious code that loads early in the boot process. This malicious firmware persists even after a full OS reinstall or hard drive replacement, giving attackers a persistent foothold.

“What makes these old shims dangerous is not a novel vulnerability,” explained ESET researcher Martin Smolár in a Tuesday report. “It’s that no new vulnerability is needed to bypass UEFI Secure Boot. An attacker needs no complicated exploitation primitives,only a copy of an old, still-trusted, but unrevoked shim binary and a basic understanding of how UEFI shims work. That is enough to bypass such an essential security feature as UEFI Secure Boot.”

Secure Boot was introduced in 2012 specifically to counter the threat of bootkits, malicious firmware that loads before the operating system. Without this protection, attackers with brief physical access to a device, even when it’s turned off, can install bootkits similar to LoJax (used by Russian state hackers in 2018), MosaicRegressor (discovered in 2020), CosmicStrand (2022), and BlackLotus (2023). Other in-the-wild bootkits tracked by security researchers include ESpecter, FinSpy, and MoonBounce.

Microsoft’s failure to revoke these publicly available shims once vulnerabilities were discovered left a gaping hole in a security feature that was supposed to be a cornerstone of modern device protection. The lapse underscores how even well-intentioned security measures can erode over time without rigorous maintenance and revocation practices.

(Source: Ars Technica)

Topics

secure boot bypass 98% microsoft shims 95% eset research 92% firmware infections 90% bootkit threats 88% uefi security 86% microsoft oversight 84% linux security 82% windows security 80% novice hacker exploit 78%