The Circuitry
THE CIRCUITRYYour one-stop source for all tech news
HOMETODAYNEWSFEEDEVENTS
BOOKMARKS
RSS
© 2026 The Circuitry
About UsSourcesContactCorrectionsPrivacy
  • Today
  • Feed
  • Events
  • Saved
Scroll for more
Verification
VERIFIEDConfidence: HIGH
Source identified
Claims cross-referenced
No discrepancies found
Fact-check summary

ESET's discovery of 11 unrevoked Microsoft-signed UEFI shims enabling Secure Boot bypass is corroborated by The Hacker News, Help Net Security, CERT/CC VU#616257, and Yahoo Finance coverage.

Sourcing
4independent sources

via Ars Technica

Ars Technica · track record
26Stories
100%Verified
730d
All sources →
Markets
MSFT···

Live quote · not investment advice

Home/Tech/Microsoft Secure Boot bypassed for 13 years via unrevoked shims
VERIFIEDBy Xavier Rivera· ·2.5 min read

Microsoft Secure Boot bypassed for 13 years via unrevoked shims

ESET researchers found that 11 defective Microsoft-signed shims allowed trivial bypasses of UEFI Secure Boot for 13 years until revocation in the June 2026 Patch Tuesday update. The flaw affects Windows and Linux devices alike and enables persistent bootkit installation with minimal attacker effort.

Source:Ars Technica
Post
Microsoft Secure Boot bypassed for 13 years via unrevoked shims
TL;DRAI · 60 sec read

ESET found 11 old Microsoft-signed UEFI shims with known defects that stayed trusted for 13 years. Attackers used them with only physical access to bypass Secure Boot and load persistent bootkits on Windows and Linux systems. Microsoft revoked the shims in its June 2026 update.

Microsoft's Secure Boot has been trivial to bypass for 13 of its 14 years of existence. Researchers at ESET discovered 11 firmware images, known as shims and including at least one from 2013, that remained signed by Microsoft despite known defects.

Old shims enable simple UEFI Secure Boot bypasses. The shims were created to extend Secure Boot support to Linux devices and utility software. Attackers can use a basic technique with these still-trusted but unrevoked binaries to circumvent the protection embedded in a device's UEFI firmware. No new vulnerability is required.
Attackers can use a basic technique with these still-trusted but unrevoked binaries to circumvent the protection embedded in a device's UEFI firmware.
ESET researcher Martin Smolár stated that an attacker needs only a copy of an old shim binary and a basic understanding of how UEFI shims work. This is enough to bypass UEFI Secure Boot. The lapse occurred because Microsoft, which oversees shim signing, failed to revoke the publicly available images once vulnerabilities were found.

Threat affects both Windows and Linux users. The vulnerable shims can be installed on devices running either operating system. From there, attackers with brief physical access can subvert the chain of trust to install malicious firmware that loads early in the boot process and persists even after OS reinstallation or hard drive replacement.
From The CircuitryThe Feed — live briefs across tech, all day.See what’s happening →
Secure Boot was introduced in 2012 to counter bootkits. Without it, such malicious firmware has been used in attacks including LoJax by Russian state hackers in 2018, MosaicRegressor in 2020, CosmicStrand in 2022, and BlackLotus in 2023. Most bootkits require physical access, a threat model Secure Boot is designed to protect against.
From there, attackers with brief physical access can subvert the chain of trust to install malicious firmware that loads early in the boot process and persists even after OS reinstallation or hard drive replacement.
Microsoft revokes the shims after ESET disclosure. The 11 shims, mainly version 0.9 and earlier, were added to the DBX revocation list in Microsoft's June 9, 2026 Patch Tuesday update. Windows systems receive the dbx update automatically while Linux distributions get it via LVFS. Some shims were used by distributors including Red Hat, openSUSE, and Oracle as well as third-party software such as PC-Doctor Finland’s Matriculation Examination Board.

Many of the shims were built before protections like SBAT and MOK deny lists existed. Others contain accumulated bugs. CERT/CC issued Vulnerability Note 616257 on the Microsoft-signed UEFI shim bootloaders, acknowledging Martin Smolár of ESET and referencing the full list of affected products and versions.
Complexity of Secure Boot contributed to the oversight. Microsoft has not explained how the failure to revoke the shims occurred over more than a decade in some cases. The highly complex design of Secure Boot, where Microsoft's digitally signed UEFI bootloader serves as the anchor of trust on Windows machines, is cited as a possible factor. Shims function as a secondary trust anchor signed by one of Microsoft's other UEFI certificates.

EXPERT TAKE

This decade-long lapse in revocation hygiene shows that even foundational boot security can erode through oversight in complex supply chains.

Why this mattersAI · ~100 words

Tap a lens to see what this story means for you.

Reader-supported
DonateBuy me a coffee →Follow@thecircuitry_ →Follow@thecircuitry.to →

Reader-supported · Daily Brief

Daily brief at 7 AM ET. Top tech stories, every morning. Sourced and fact-checked.

HELP US IMPROVE
From The Circuitry

See what’s happening right now

The Feed runs all day — short, verified briefs the moment they break.

Open the Feed →
From The Circuitry

Follow @thecircuitry_

Every story we publish, as it happens. No noise between.

Follow on X ↗On Bluesky ↗

Reader-supported

The Circuitry is a passion project I've always wanted to build, and I love the work behind it.

Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.

Any contribution is appreciated. If not, no pressure. Thanks for reading.

Buy me a coffee
securitymicrosoftuefi
More fromArs Technica
  • Blue Origin reportedly raising up to $10B in first private capital round

    Tech · 6d
  • FCC set to end Biden-era mandate on itemizing ISP passthrough fees

    Tech · 8d
  • Netflix now demands separate email logins for each profile

    Tech · 18d
More inTech
  • IBM Issues Rare Mid-Quarter Warning on AI Memory Shortage

    Tech · 2h
  • Microsoft to cut 605 jobs in Redmond

    Tech · 3h
  • Critical RCE Flaw in Windows GDI+ Carries 9.6 CVSS Score

    Tech · 3h
SupportThe Work

The Circuitry is reader-supported. If you find the daily brief useful, you can buy me a coffee to keep it going.

Buy a coffee →
SubscribeCircuitry Brief

Daily brief at 7 AM ET. Top tech stories, every morning.

MORE IN TECH

IBM Issues Rare Mid-Quarter Warning on AI Memory Shortage

IBM issued a rare mid-quarter warning that triggered its sharpest single-day stock decline in 115 years on Tuesday, with CEO Arvind Krishna citing an AI-driven global memory shortage shifting enterprise budgets from software to hardware. The change could unsettle vendors beyond IBM as corporate spending prioritizes supply-constrained components.

Microsoft to cut 605 jobs in Redmond

Microsoft has filed notice to permanently lay off 605 workers at its Redmond headquarters effective September 4, 2026. Axios notes 493 Redmond + other WA sites for the 605 total. The cuts are part of a sweeping Xbox gaming division restructure inside a global plan targeting approximately 3,200 roles in FY2027.

Critical RCE Flaw in Windows GDI+ Carries 9.6 CVSS Score

Microsoft disclosed CVE-2026-50380, a critical heap-based buffer overflow in Windows GDI+ that enables remote code execution over a network with a 9.6 CVSS score. The flaw affects numerous Windows 10 and 11 releases and is being patched as part of the July 2026 Patch Tuesday.