ESET disclosed that 11 outdated Microsoft-signed Linux shim bootloaders could be abused to bypass UEFI Secure Boot on systems that trust the Microsoft Corporation UEFI CA 2011 certificate. The issue affects UEFI-based machines regardless of installed operating system because an attacker can introduce an old but still-trusted signed binary even if the device never originally shipped with it. Researchers said the vulnerable shims can trust insecure second-stage loaders such as GRUB 2, lack later protections including MOK denylist enforcement and SBAT support, and could let an attacker with administrative access or boot-process control run arbitrary code during early boot and install persistent UEFI bootkits such as BlackLotus, Bootkitty, or HybridPetya.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Researchers disclosed that eleven outdated Microsoft-signed UEFI shim bootloaders could be abused to bypass UEFI Secure Boot on systems trusting the Microsoft Corporation UEFI CA 2011 certificate. The disclosures said the issue could enable arbitrary code execution during early boot and facilitate persistent UEFI bootkits.
The Hacker News reports that ESET responsibly disclosed the Secure Boot bypass issue involving outdated Microsoft-signed UEFI shim bootloaders to Microsoft in February 2026. The flaws were later tracked as CVE-2026-8863 and CVE-2026-10797.
Microsoft revoked the affected outdated shim bootloader hashes in its June 9, 2026 Patch Tuesday update via the DBX revocation list. The update addressed the Secure Boot bypass risk posed by eleven old Microsoft-signed shim bootloaders.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcearstechnica.com
Open sourcecybersecuritynews.com
Open sourcewelivesecurity.com
Open sourcehelpnetsecurity.com
Open sourcethehackernews.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.