- ESET discovers 11 vulnerable UEFI shim bootloaders signed by Microsoft, allowing attackers to bypass Secure Boot and deploy malicious bootkits
- Any UEFI system trusting Microsoft’s 2011 third‑party certificate could be exposed, potentially billions of devices; attackers can bring old trusted shims to new systems
- Microsoft has revoked the vulnerable shims, and users should apply the latest UEFI revocations (Windows auto‑updates, Linux via LVFS) to block exploitation
Cybersecurity experts from ESET have discovered 11 vulnerable UEFI shim bootloaders, all signed by Microsoft, which could allow threat actors to exploit ancient vulnerabilities and bypass UEFI Secure Boot, deploying all sorts of malicious bootkits.
A shim is a small, intermediary bootloader that works as a bridge between a computer’s firmware (UEFI) and the operating system‘s bootloader. Its primary purpose is to allow operating systems to work with UEFI Secure Boot without having Microsoft sign every Linux bootloader individually.
Any UEFI-based machine that trusts the Microsoft Corporation UEFI CA 2011 third-party UEFI certificate authority (CE) certificate, regardless of the operating system, was said to be vulnerable to the shims (versions 0.9 and older). That would put the number of potentially vulnerable devices in the billions, since almost all modern x86 PCs use UEFI firmware, and most of them trust the Microsoft Corporation UEFI CA 2011 certificate out of the box.
Revoking the shims
However, ESET reported its findings to CERT/CC and the vulnerable UEFI applications were all revoked.
The shims come from different tools such as PC diagnostic software, Linux distribution, and other UEFI-based utilities, the researchers explained. They also added that, since the attackers can bring their own vulnerable shims to any UEFI system with the Microsoft third-party UEFI certificate enrolled, they can exploit systems that are, at first, not affected.
To block the vulnerable shims, users should apply the latest UEFI revocations from Microsoft, it was said. While Windows systems will most likely do it automatically, Linux systems users should do it through the Linux Vendor Firmware Service.
“What makes these old shims dangerous is not a novel vulnerability; it’s that no new vulnerability is needed to bypass UEFI Secure Boot,” says ESET researcher Martin Smolár, who discovered the vulnerable shims.
“An attacker needs no complicated exploitation primitives — only a copy of an old, still-trusted but unrevoked shim binary and a basic understanding of how UEFI shims work. That is enough to bypass such an essential security feature as UEFI Secure Boot.”

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
