
ESET has warned that outdated Microsoft‑signed UEFI shim bootloaders can be abused to bypass Secure Boot on a wide range of devices. The affected components, mostly version 0.9 and earlier, remain trusted in the Secure Boot chain despite being revoked by Microsoft in June 2026. Attackers who gain the ability to load these old shims can execute unsigned code during the boot process, opening the door to bootkits and persistent firmware implants.
Researchers identified eleven vulnerable shim binaries, all signed by Microsoft and dating back to 2015 or earlier. Two vulnerabilities have been logged, CVE‑2026‑8863 with a CVSS score of 7.8 rated HIGH and CVE‑2026‑10797 for which no score has been assigned. Both flaws allow an attacker to substitute a malicious payload for the legitimate shim, causing the firmware to execute untrusted code before the operating system loader runs, thereby subverting the Secure Boot verification step. The flaws reside in the shim’s handling of PE binary validation, allowing a crafted payload to be mistaken for a legitimate bootloader.
The shims were never removed from Microsoft’s trusted signature database, so systems that have not applied the latest revocation continue to treat them as valid. Although no specific threat actor has been linked to the issue, the availability of these old bootloaders means that any post‑exploitation foothold could be leveraged to install a stealthy bootkit that survives OS reinstalls. Security observers note that the long‑standing trust in such components highlights a blind spot in firmware hygiene that is often overlooked by endpoint protection tools.
Administrators should first verify that the UEFI dbx revocation list includes the hashes of the eleven identified shims; most recent Microsoft updates released after June 2026 already contain these entries. Organisations should also verify that the revocation list is not being overridden by local Secure Boot policies that could inadvertently retain the old shims. Where systems run custom or third‑party firmware, it is essential to contact the OEM for a signed update that replaces the old shim with a current version. Enabling Secure Boot and confirming that the system is in user mode rather than setup mode helps ensure the revocation is enforced. Finally, reviewing boot logs for any attempt to load an unsigned or outdated shim can reveal early signs of an attack attempt.
Linux distributors are advised to rebuild their shim packages using the latest Microsoft‑signed version and to push the updated binaries through their usual update channels. End users should verify that their device’s firmware is at the latest version supplied by the manufacturer and that Secure Boot remains enabled after any firmware flash. Organisations that rely on measured boot or TPM‑based attestation should update their policies to reject boot attempts that present an outdated shim hash. Keeping firmware and signature databases current remains the most effective way to close this gap.
Detection of a compromised shim is difficult because the malicious code runs before the OS kernel loads, evading most antivirus agents. Security teams should consider enabling UEFI firmware logging if available and forwarding those records to a central SIEM for correlation. Firmware integrity scanners that compare the hash of loaded bootloaders against an approved whitelist can also provide an additional layer of defence. Regularly scheduled firmware audits help ensure that no forgotten shim remains in the trust store.
The discovery Intelligence briefing updated Jul 16, 2026