CISA and NSA Guidance on Managing UEFI Secure Boot to Counter Bootkit Threats
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the National Security Agency (NSA), has released new guidance urging enterprises to verify and actively manage UEFI Secure Boot configurations to defend against persistent bootkit threats. The guidance, published as a Cybersecurity Information Sheet, highlights the risks posed by vulnerabilities such as PKFail, BlackLotus (CVE-2023-24932), and BootHole, which have enabled attackers to bypass Secure Boot protections through misconfigurations, outdated certificates, or the use of test keys. The agencies emphasize that default or neglected Secure Boot settings leave organizations exposed to firmware-level malware that can evade traditional security controls, and recommend routine audits and validation of Secure Boot variables using tools provided by the NSA.
The guidance also addresses operational challenges, noting that many enterprises still rely on outdated 2011 Microsoft certificates or have Secure Boot disabled, making them susceptible to both known and emerging threats. Additional real-world examples, such as the HybridPetya ransomware and the Bombshell UEFI shell, underscore the urgency of moving firmware security to the forefront of enterprise cybersecurity policy. Administrators are advised to confirm Secure Boot enforcement, export and analyze configuration variables, and ensure only trusted certificates and hashes are present, thereby strengthening the root of trust and mitigating supply chain and boot-time attack risks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
CISA and NSA release UEFI Secure Boot management guidance
In December 2025, CISA and the NSA issued guidance urging enterprises to verify, audit, and manage UEFI Secure Boot configurations to reduce exposure to bootkits and firmware-level persistence. The guidance recommends checking Secure Boot variables, avoiding misconfigurations, using NSA-provided validation tools, and incorporating these checks into enterprise and supply-chain security practices.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Secure Boot Certificate Transition Leaves Older PCs Without Future Boot Protections
Microsoft warned that Secure Boot certificates issued in 2011 are nearing expiration and that devices which do not receive the newer 2023 Secure Boot update will generally keep booting, but may stop receiving future boot-chain protections. The gap affects some older Windows systems whose OEMs no longer provide compatible BIOS or UEFI updates, as well as devices running Legacy BIOS, CSM mode, or unsupported Windows 11 configurations with Secure Boot disabled. Microsoft is reportedly skipping incompatible hardware rather than forcing updates that could cause failures, but enterprises may still face compliance, cyber-insurance, and lifecycle-management pressure because those endpoints could miss future `DBX` revocations, Windows Boot Manager updates, and mitigations for bootloader threats such as **BlackLotus**. The transition is also creating planning challenges beyond Windows. Linux distributions that rely on Microsoft-signed **shim** loaders are expected to continue booting on systems that already trust the older Microsoft UEFI CA, but older PCs that never receive firmware updates with the 2023 certificates may have trouble booting newer Linux media or releases. The issue follows Microsoft's broader effort to harden the pre-boot environment after flaws such as `CVE-2024-21302`, a Windows Secure Kernel Mode elevation-of-privilege bug that could let an administrator roll back VBS-related files to bypass protections; Microsoft responded with boot-time code integrity policies, an optional `SkuSiPolicy.p7b` revocation policy, and stronger protections on newer Windows releases. Administrators are being urged to verify Secure Boot update status, update firmware and recovery media where possible, and document compensating controls or replace hardware that cannot be brought forward.
Jun 24, 2026
Secure Boot Bypass Vulnerability in Framework Linux Laptops via Signed UEFI Shells
Researchers from Eclypsium discovered that nearly 200,000 Linux-based Framework laptops and desktops were shipped with signed UEFI shell components containing a powerful 'memory modify' (mm) command, which can be exploited to bypass Secure Boot protections. The mm command, intended for low-level diagnostics and firmware debugging, provides direct read and write access to system memory, including critical security variables such as gSecurity2. By abusing this command, an attacker can overwrite the gSecurity2 variable with NULL, effectively disabling signature verification for all subsequent UEFI module loads and breaking the Secure Boot trust chain. This vulnerability allows attackers to load bootkits such as BlackLotus, HybridPetya, and Bootkitty, which can evade operating system-level security controls and persist even after OS reinstallation. The attack can be automated using startup scripts, ensuring persistence across reboots. The issue is not the result of a supply chain compromise or malicious intent, but rather an oversight in the inclusion of diagnostic tools signed with trusted certificates. Eclypsium's research highlights that these signed UEFI shells, while legitimate, function as backdoors that undermine the security model of Secure Boot. The presence of such tools in production devices exposes users to significant risk, as attackers can leverage them for pre-OS infections, espionage, sabotage, or ransomware attacks. The gaming industry has already seen commercial cheat providers exploiting similar UEFI-level bypasses, and the same techniques could be adopted by nation-state actors or advanced persistent threats. Framework has acknowledged the issue and is working on remediation, with fixes planned for affected models such as the Framework 13 (11th and 12th Gen Intel). The discovery underscores the broader risk of trusted, signed components containing powerful functionality that can be misused, and the need for rigorous review of firmware-level tools included in shipping devices. The vulnerability demonstrates that even systems marketed as secure and repairable can harbor critical flaws if diagnostic utilities are not properly restricted. The incident serves as a warning to hardware manufacturers and the security community about the dangers of trusted but overly permissive firmware components. Eclypsium's findings have prompted a reassessment of trust models in firmware security, emphasizing the importance of minimizing attack surfaces in pre-boot environments. The case also illustrates how attackers are increasingly targeting lower layers of the computing stack to achieve persistence and evade detection. Framework's response and the ongoing remediation efforts will be closely watched by the industry as a test case for responsible disclosure and mitigation of firmware-level threats.
Mar 21, 2026
Microsoft Secure Boot Certificate Refresh Ahead of 2011 Certificate Expiration
Microsoft has started deploying updated **Secure Boot** certificates via regular monthly Windows updates to replace the original 2011-era certificates that begin expiring in **late June 2026**. Secure Boot, introduced in 2011 for UEFI-based systems, helps prevent pre-OS malware (e.g., bootkits/rootkits) by allowing only trusted, properly signed boot components to load, using a certificate chain anchored in UEFI firmware and validated against trusted signature databases. The expiring components include Microsoft-issued certificates used in the Secure Boot trust chain (including the **Key Exchange Key (KEK)** and Microsoft **UEFI CA/Production CA** certificates), which are present on most PCs built since 2011 and also affect many Linux distributions that rely on Microsoft’s UEFI signing ecosystem. Microsoft says the refresh will be automatic for in-support Windows devices where updates are Microsoft-managed, while organizations can also control deployment through their own management tooling; the effort is positioned as a large-scale ecosystem maintenance activity involving coordination across many OEM firmware configurations.
May 28, 2026