ESET discovery reveals Microsoft Secure Boot bypassed for 13 years via unrevoked shims
Researchers at ESET found that Microsoft failed to revoke 11 defective firmware shims for over a decade, exposing systems to persistent bootkits. Microsoft revoked the images in June 2026, but the lapse highlights significant flaws in the UEFI trust model.

Researchers at security firm ESET have identified a critical oversight in Microsoft’s Secure Boot mechanism, revealing that the protection was trivially bypassable for 13 of its 14 years. The discovery centres on 11 defective firmware images, known as shims, which were designed to extend Secure Boot compatibility to Linux devices and utility software but were never revoked despite known vulnerabilities.
The shims, with origins dating back to at least 2013, allowed attackers to circumvent Unified Extensible Firmware Interface (UEFI) protections. This enabled the installation of malicious firmware that persists through operating system reinstalls or hard drive replacements. ESET researcher Martin Smolár noted that the danger lay not in a novel exploit, but in the availability of old, still-trusted binaries that required only basic knowledge to utilise for bypassing UEFI security.
Microsoft finally revoked the 11 identified shims in its regular monthly patch release in June 2026, following notification from ESET and the Computer Emergency Response Team (CERT). The company has not yet explained how or why the revocation lapse occurred over such an extended period. The expiration of the Microsoft certificate that signed the shims, which occurred late last month, proved insufficient to revoke the specific images on its own.
The affected shims were utilised by various Linux distributors, including Red Hat, OpenSuse, and Oracle, as well as third-party software providers such as PC-Doctor Finland’s Matriculation Examination Board. Many of these images predated modern protections like Secure Boot Advanced Targeting (SBAT) and Machine Owner Key (MOK) deny lists. For instance, the Oracle shim signed a binary vulnerable to CVE-2015-5381, a flaw requiring low skill to exploit.
While the vulnerability affects both Windows and Linux systems, Windows 11 Secured-core PCs in their default configuration are likely unaffected. Windows users who applied Microsoft’s June update batch are no longer vulnerable. Linux users are advised to consult their distributor or use the uefi-dbx-audit script to check revocation statuses.
HD Moore, chief executive of runZero and a firmware security expert, described the situation as a significant rebuke of the entire Secure Boot model. He cited the complexity of the ecosystem and Microsoft’s role as the de facto root of trust, noting that the ability for components to boot even after top-level certificates expire undermines the security framework.


