Nearly a dozen legacy UEFI shim bootloaders, now revoked, remained trusted for years, giving attackers a straightforward path to bypass Secure Boot on systems that trust Microsoft’s third‑party signing certificate.
Key Takeaways
- 11 outdated shim bootloaders were still trusted in the Secure Boot chain.
- Microsoft revoked them in June 2026, but unpatched devices stay vulnerable.
- Boot‑level exploits bypass traditional endpoint defenses like EDR.
Security researchers have uncovered eleven vulnerable UEFI shim bootloaders that could be used to subvert Secure Boot on any system that trusts Microsoft’s third‑party UEFI signing certificate. A shim is a tiny first‑stage loader invoked by the UEFI firmware; it bridges the firmware to the operating system’s bootloader. In Linux environments, shims let distributions boot on Secure Boot‑enabled hardware without Microsoft having to sign every subsequent boot component.
How the Shims Became a Liability
The identified shims are version 0.9 or earlier—several generations behind current releases. Some were configured to launch legacy GRUB 2 bootloaders with known vulnerabilities; others lacked modern security hardening, and a few contained outright bugs that could let an attacker bypass Secure Boot checks entirely.
Microsoft’s Revocation and the Real‑World Lag
After ESET reported the issue, Microsoft issued Secure Boot revocation updates in June 2026. However, firmware updates are notoriously slow to deploy, especially in enterprise, air‑gapped, or OT‑adjacent environments where change‑control cycles span quarters rather than days. Consequently, many machines continue to trust these obsolete shim binaries, giving adversaries a ready‑made foothold at the earliest stage of system startup.
Broader Implications for Firmware Security
This incident underscores a systemic problem: once a piece of signed firmware is deployed, it can linger for years, becoming what experts call “Secure Boot debt.” Without active inventory management and timely revocation, old code can undermine the very trust chain it was meant to protect. Organizations must treat firmware components with the same lifecycle rigor applied to applications—regular audits, automated revocation lists, and rapid patch distribution.