Security researchers at Eset have uncovered eleven outdated UEFI shims that have allowed attackers to bypass Secure Boot for more than ten years. Exploiting them makes it possible to load bootkit malware onto affected systems undetected.
What are shims and why does this matter?
Shims are small bootloaders that Microsoft signed years ago with its third-party UEFI certificate "Microsoft Corporation UEFI CA 2011," marking them as trusted. The affected shims were distributed through various tools and Linux distributions, including PC diagnostics software and distros such as CentOS and openSUSE. The oldest signature identified by the researchers dates back to 2013.
Despite known vulnerabilities, Microsoft did not revoke these shims for a long time. That left a window for attackers with local system access to copy a vulnerable binary onto any target with that UEFI certificate present, effectively disabling Secure Boot.
The bootkit threat
A successful attack can result in a bootkit infection. Bootkits load before the operating system, can disable OS-level security mechanisms, and typically evade antivirus detection. A well-known example is Blacklotus, a UEFI bootkit that has been publicly available on GitHub for years.
Remediation
Eset reported its findings to CERT/CC on February 16, 2026. The fix is a DBX update that adds the affected shim hashes to a blocklist. Windows systems received this update with the June 9 patches. Linux users should install the latest bootloader updates from their distribution, which include the necessary SBAT protections.