<>
Security researchers at ESET have identified a collection of vulnerable UEFI "shims"—small bootloaders used to facilitate Secure Boot—that remain exploitable despite Microsoft’s recent attempts to revoke the associated certificates. These defective components allow attackers to bypass Secure Boot protections, potentially compromising both Windows and Linux systems by authorizing secondary, vulnerable software during the boot process.
The Scope of the UEFI Shim Vulnerability
The security issue centers on the use of signed shims that are inherently flawed. According to ESET, these shims authorize secondary components known to be vulnerable to various exploits, such as CVE-2015-5381, which can be triggered with low technical skill. While Microsoft took steps to invalidate the certificates used to sign these shims late last month, ESET reports that this revocation is insufficient to block the specific vulnerable versions currently in circulation.

Beyond authorizing malicious code, these shims fail to implement modern security standards. Many of the identified files lack support for MOK (Machine Owner Key) deny-list enforcement and SBAT (Secure Boot Advanced Targeting) enforcement—critical security layers introduced to mitigate boot-level threats. In some instances, the shims themselves contain internal vulnerabilities that can be exploited to bypass system security.
Impact on Windows and Linux Systems
The threat posed by these shims extends across the PC ecosystem, though the level of risk varies by operating system and hardware configuration.

- Windows: Systems that have installed Microsoft’s June update batch are no longer vulnerable. Windows 11 Secured-core PCs are also largely protected against these types of unauthorized boot-time modifications by default.
- Linux: Users are encouraged to verify their security status through the Linux Vendor Firmware Service or by consulting their specific distribution provider. Administrators can assess their exposure by using the
uefi-dbx-auditscript to check the current revocation status of their UEFI databases.
Challenges in the Secure Boot Model
The discovery of these vulnerable shims has prompted criticism regarding the complexity and centralized nature of the Secure Boot ecosystem. HD Moore, founder of the security firm runZero, described the situation as a "rebuke of the entire secure boot model."
Moore notes that the current architecture forces Microsoft to act as the de facto root of trust for the entire UEFI platform, a responsibility that has proven difficult to scale. Because the system relies on an extensive catalog of signed components—many of which remain valid long after their security efficacy has lapsed—the ecosystem is prone to "unknown" signed binaries that can be used to boot unauthorized software.
Key Takeaways for System Security
- Persistent Risk: Certificate expiration alone does not always effectively revoke vulnerable shims, leaving systems open to "hack-by-numbers" exploitation.
- Update Necessity: Applying the latest vendor-supplied firmware and OS-level security patches is the primary defense against boot-level threats.
- Tooling: Users and administrators should utilize tools like
uefi-dbx-auditto confirm that their UEFI revocation lists (dbx) are up to date. - Architectural Concerns: Security experts suggest that the reliance on complex, long-lived signatures for bootloaders creates significant maintenance challenges that the current Secure Boot framework struggles to address.
>
Related reading