11 Vulnerable UEFI Shims Expose Systems to Secure Boot Bypass
ESET researcher Martin Smolár has uncovered 11 outdated, Microsoft-signed Unified Extensible Firmware Interface (UEFI) shim bootloaders that can be weaponized to bypass Secure Boot protections on most modern firmware-compliant machines. According to ESET's report, exploitation of any of these vulnerable shims allows attackers to execute untrusted code during the boot process, paving the way for the deployment of malicious UEFI bootkits. The affected shims are trusted because they are signed by Microsoft's "Microsoft Corporation UEFI CA 2011" third-party certificate authority, which comes pre-installed on UEFI-based devices and was used to sign third-party boot components.
The attack chain works by abusing the shim—a lightweight, open-source bootloader that sits between a motherboard's firmware and the Linux OS—to validate untrusted second-stage bootloaders and kernels during system startup. Once Secure Boot is sidestepped, threat actors can deploy high-profile bootkits such as Bootkitty, HybridPetya, or BlackLotus, regardless of the operating system installed. The Microsoft UEFI CA 2011 certificate expired on June 27, 2026, and has since been superseded by the Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, but many systems still trust the legacy chain. Administrators can use a port scanner and a privacy checkup to audit exposed firmware and network-facing attack surfaces tied to vulnerable boot environments.
The list of impacted shims spans multiple vendors and Linux distributions, including Red Hat Enterprise Linux 7.2, CentOS 7.2, Oracle Linux 7.2, openSUSE UEFI Shim loader 0.9, openSUSE Shim 2.1, ROSA Linux R10/R9, Abitti 1.0, Spyrus WTGCreator, PC-Doctor Service Center 15/16, Blancco WipeDrive 8.0.0–8.1.3, and baramundi Management Suite (up to 2024R1)—all built on UEFI shim loader versions 0.7 through 0.9. Following responsible disclosure in February 2026, Microsoft revoked these bootloaders in its June 2026 Patch Tuesday update. Security teams should verify their firmware trust databases, apply vendor patches immediately, and use a WHOIS lookup to investigate the supply-chain provenance of any third-party shim components still deployed in their environments.