Legacy UEFI Shims Leave Systems Open to Pre-Boot Attacks
A set of 11 expired, Microsoft-signed applications can be used to disable Secure Boot, allowing persistent malware at the firmware level.
Modern cybersecurity defenses rely heavily on the integrity of the boot sequence to ensure that only trusted code executes during the startup process. However, recent findings highlight a significant vulnerability in that chain of trust, stemming from outdated UEFI applications that retain legitimate digital signatures from Microsoft.
The Mechanics of Boot Manipulation
The vulnerability centers on UEFI shim bootloaders, which act as the essential bridge between motherboard firmware and an operating system, particularly within Linux environments. By utilizing a Microsoft-signed signature, these components gain an inherent level of trust from UEFI-based systems, a design intended to ensure interoperability. Because these specific files remain trusted by the firmware, an attacker can leverage them to execute arbitrary code before the operating system even initiates its security protocols.
An attacker exploiting one of these vulnerable applications can execute untrusted code during system boot, enabling deployment of malicious UEFI bootkits or other malware.
— Martin Smolár, ESET researcher
A Persistence Loophole
The danger is compounded by the fact that even if a system is fully patched, these legacy binaries can be manually introduced by an attacker with administrative access. This technique allows for the circumvention of both Secure Boot and the Secure Boot Advanced Targeting (SBAT) mechanism. By replacing a modern, updated shim with an older version that is still cryptographically trusted, malicious actors can bypass MOK denylist enforcement, effectively blinding traditional endpoint security tools that are not active until after the OS has loaded.
Quantifying the Supply Chain Exposure
- There are 11 specific legacy Microsoft-signed UEFI applications identified as vulnerable.
- The "Microsoft Corporation UEFI CA 2011" certificate officially expired on June 27, 2026.
- Two primary identifiers tracking these issues are CVE-2026-8863 and CVE-2026-10797.
Strategic Implications for Security
This scenario underscores the persistent risk posed by supply chain artifacts that linger in the ecosystem long after their original purpose has passed. Because the vulnerability does not require a novel exploit but rather the simple usage of a legitimate, yet unrevoked, binary, it provides a low-barrier path for attackers to establish deep persistence. Organizations must prioritize the audit of their firmware components to ensure that revocation lists are up-to-date, preventing these legacy shims from being weaponized to subvert the fundamental security of modern hardware.