Old signed bootloaders let attackers bypass Secure Boot on most PCs

Researchers at ESET have uncovered 11 old, Microsoft-signed bootloaders that let an attacker switch off one of a PC's most important defenses, UEFI Secure Boot, on almost any computer, then load stealthy malware that starts before the operating system does. Because the flawed files are already trusted, an attacker can simply carry a copy onto a target machine rather than needing the vulnerable software to be installed there.

Why this matters

Secure Boot is meant to guarantee that only trusted code runs when a computer powers on. These outdated "shim" bootloaders, all at version 0.9 or below, break that guarantee on any UEFI system that trusts Microsoft's third-party signing certificate, which covers the vast majority of PCs. Abusing them lets an attacker run unsigned code during boot and deploy a bootkit, a class of malware such as Bootkitty, HybridPetya, and BlackLotus that hides beneath the operating system and survives a reinstall. The issue is tracked as CVE-2026-8863 and CVE-2026-10797.

How the attack works

A shim is a small, Microsoft-signed program that extends Secure Boot's chain of trust to other bootloaders, typically GRUB 2 on Linux systems. The forgotten shims ESET found, drawn from PC-diagnostic tools, Linux distributions, and other utilities, can be chained with outdated second-stage bootloaders that carry their own known bugs, giving an attacker a path to run untrusted code at boot on a machine that would otherwise reject it. Exploitation generally requires the attacker to already have administrative or physical access, but the payoff is persistence that ordinary security tools cannot see.

What you should do

Microsoft revoked the vulnerable bootloaders by adding their signatures to the Secure Boot denylist (dbx) in its June 9, 2026 Patch Tuesday update, so installing the latest updates is the fix. Windows 11 Secured-core PCs ship with third-party UEFI signing turned off by default and are not exposed. Applying dbx updates promptly closes the door before an attacker can bring their own vulnerable shim, much as with other recent Microsoft security fixes.

Indicators of compromise (defanged)

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions