{"id":289478,"date":"2026-07-14T08:46:00","date_gmt":"2026-07-14T12:46:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/07\/14\/11-old-microsoft-signed-linux-uefi-shims-could-let-attackers-bypass-secure-boot\/"},"modified":"2026-07-14T15:00:12","modified_gmt":"2026-07-14T19:00:12","slug":"11-old-microsoft-signed-linux-uefi-shims-could-let-attackers-bypass-secure-boot","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/07\/14\/11-old-microsoft-signed-linux-uefi-shims-could-let-attackers-bypass-secure-boot\/","title":{"rendered":"11 Old Microsoft-Signed Linux UEFI Shims Could Let Attackers Bypass Secure Boot"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/11-old-microsoft-signed-linux-uefi.html\">11 Old Microsoft-Signed Linux UEFI Shims Could Let Attackers Bypass Secure Boot<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/11-old-microsoft-signed-linux-uefi.html\">https:\/\/thehackernews.com\/2026\/07\/11-old-microsoft-signed-linux-uefi.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-14 08:46:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Cybersecurity researchers have discovered 11 old, Microsoft-signed, Unified Extensible Firmware Interface (UEFI) applications that could be abused to bypass Secure Boot on most systems using the modern firmware standard.<\/p>\n<p>&#8220;An attacker exploiting one of these vulnerable applications can execute untrusted code during system boot, enabling deployment of malicious UEFI bootkits or other malware,&#8221; ESET researcher Martin Smol\u00e1r said in a report published today.<\/p>\n<p>The UEFI shim bootloaders expose any UEFI-based machine that trusts Microsoft&#8217;s &#8220;Microsoft Corporation UEFI CA 2011&#8221; third-party UEFI certificate authority (CA) certificate, irrespective of the installed operating system. The certificate is used to sign third-party boot components intended to run under Secure Boot. It expired as of June 27, 2026, and has been replaced by Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023.<\/p>\n<p>The shim is a lightweight, open-source UEFI bootloader that acts as an intermediary between a computer&#8217;s motherboard firmware and the Linux operating system. Its primary purpose is to allow Linux distributions to boot when Secure Boot is enabled. It&#8217;s worth noting that the shim itself is signed with a key trusted by the firmware, mostly a Microsoft signature, as its certificates come pre-installed on UEFI-based devices.<\/p>\n<p>The sequence proceeds like this: the UEFI firmware loads the shim and validates its signature against the Microsoft CA stored in the firmware. The shim then validates the second-stage bootloader (in most cases, GRUB 2) against its own embedded vendor certificate. GRUB 2 finally validates the kernel using the same vendor certificate.<\/p>\n<p>The Slovak cybersecurity company said the outdated-but-trusted shims can be exploited to execute arbitrary code when the system boots up, allowing bad actors to deploy UEFI bootkits like Bootkitty, HybridPetya, or BlackLotus even when Secure Boot protections are enabled.<\/p>\n<p>The UEFI bootloaders of the open-source shim project, mainly&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/11-old-microsoft-signed-linux-uefi.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>11 Old Microsoft-Signed Linux UEFI Shims Could Let Attackers Bypass Secure Boot https:\/\/thehackernews.com\/2026\/07\/11-old-microsoft-signed-linux-uefi.html Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":289479,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhzgVI5ZeWhnWkl-lXmJYMLjAOXmxw21Y3sgxeF9rrOS_JqjQ7k_yyV_2KU_ELhmsm3nA3qNV0farc_31WCAhPPZRq7iIrYm90R_24lvc1f68Gv-yZPsM3bwDiUuCaCBAzq-S8ymLrrD7dx349vEjlR0eID2LXm5SO3Ocq1sG8sWkhAEG9RWX07avTOu3dW\/s1600\/shim.gif","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32],"class_list":["post-289478","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/289478"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=289478"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/289478\/revisions"}],"predecessor-version":[{"id":289480,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/289478\/revisions\/289480"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/289479"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=289478"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=289478"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=289478"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}