Microsoft Patches Critical Secure Boot Flaw After 10 Years of Exposure
The vulnerability allowed attackers to bypass secure boot using old, unrevoked bootloaders
July 17, 2026 · 4 min read
TL;DR: Microsoft patched a Secure Boot vulnerability that had been active for 10 years. Eleven old bootloaders had not been revoked, allowing attackers to bypass secure boot. The update closes the gap.
What Happened?
Microsoft has released a critical security patch that fixes a vulnerability in Windows Secure Boot that had gone unnoticed for over ten years. The flaw was discovered by ESET researchers, who found that eleven old 'shim' bootloaders were still considered trusted by the Secure Boot database, despite carrying known vulnerabilities for years. These bootloaders act as a bridge between the UEFI firmware and the main bootloader, and since they had not been revoked, an attacker could use a copy of one of them to execute malicious code before the operating system loaded, thus bypassing Secure Boot protections. According to the ESET report published on WeLiveSecurity, the affected bootloaders include old versions of GRUB2 and other open-source bootloaders, some dating back to 2012. The vulnerability, identified as CVE-2023-40547 (though the specific CVE may vary), was reported to Microsoft in 2023, but the patch was not released until January 9, 2024, drawing criticism over the response time.
Why Is It Important?
Secure Boot is a fundamental security mechanism in modern Windows systems, designed to ensure that only trusted software runs during startup. Its compromise exposes users to bootkits and rootkits that can operate invisibly, as they execute before the operating system and traditional security tools activate. The vulnerability allowed attackers with physical access or the ability to run kernel-mode code to install persistent malware at the firmware level. Although there is no evidence of active exploitation, the risk was significant, especially in enterprise environments where boot integrity is critical. According to ESET data, the affected shim bootloaders had certificates dating back to 2012, meaning that for over a decade, any attacker with access to these binaries could have bypassed Secure Boot. This incident echoes similar past vulnerabilities, such as the BootHole flaw in GRUB2 (CVE-2020-10713) that affected Linux and Windows systems, which also required a massive update of revocation lists. The difference here is that the bootloaders were not revoked in a timely manner, highlighting a weakness in the Secure Boot trust management process.
Consequences and Lessons
This incident underscores the importance of keeping Secure Boot revocation lists up to date. Microsoft has updated the revocation database via Windows Update, and users are advised to install the patch immediately. The ten-year delay in discovering the flaw highlights the complexity of managing trust in the UEFI ecosystem, where certificates for old bootloaders can remain valid indefinitely. System administrators should review their update policies and ensure devices are configured to receive Secure Boot revocation updates. Additionally, this case raises questions about the responsibility of hardware and software manufacturers in periodically reviewing certificates included in Secure Boot databases. According to security experts, the current revocation process is slow and bureaucratic, allowing known vulnerabilities to remain unpatched for years. For enterprise users, the risk is higher due to the potential presence of bootkits that can persist even after reinstalling the operating system. The key lesson is that boot security is not static: it requires continuous maintenance and closer collaboration between software vendors and security researchers.
What Should Readers Know?
- The vulnerability affects all Windows versions that support Secure Boot, including Windows 10 and 11, as well as Windows Server 2016 and later versions.
- The patch is distributed as part of Microsoft's monthly security updates (January 2024); ensure you have the latest updates installed.
- There are no signs of active exploitation, but the fix is critical to prevent future attacks.
- The affected bootloaders include old versions of GRUB2 (pre-2020) and other open-source bootloaders such as Red Hat's shim.
- ESET published a detailed analysis of the research on its WeLiveSecurity blog, listing the eleven specific bootloaders.
- Microsoft has updated the Secure Boot revocation list (DBX) to block these bootloaders; users should ensure their systems have Secure Boot updates enabled.
"Secure boot is one of the first lines of defense against persistent malware. This patch closes a gap that could have been exploited to install undetectable bootkits." — TheVortiq
This incident also serves as a reminder that even the most robust security measures can fail if not properly maintained. Certificate and revocation list management must be a priority for all actors in the trust ecosystem. For home users, simply installing Windows updates is sufficient; for businesses, it is recommended to audit systems to ensure Secure Boot updates are applied correctly, especially on devices that may have been disconnected from the network for extended periods. Ultimately, the Secure Boot vulnerability highlights the need for a proactive approach to firmware security, where periodic reviews and collaboration between manufacturers and the security community become the norm, not the exception.