UEFI Secure Boot Bypass: 11 Microsoft-Signed Shims, Some Over a Decade Old, Trusted by Every UEFI Computer — No Exploit Needed, Bootkits Load Before EDR
ESET researcher Martin Smolár found 11 Microsoft-signed UEFI shim bootloaders at version 0.9 and below that bypass Secure Boot on virtually every UEFI system — Windows, Linux, regardless of OS. No new exploit needed. Just a file copy. Enables Bootkitty, BlackLotus, HybridPetya — malware that runs before the OS, before EDR, before AV, and survives OS reinstalls. Microsoft revoked all 11 via June Patch Tuesday. Apply the dbx update now. ESET cannot confirm how many additional unrevoked shims remain.
Read Full Brief →Threats & Attacks
Just a file copy. 11 Microsoft-signed shims — some over a decade old — trusted by virtually every UEFI computer. Enables BlackLotus, Bootkitty. Runs before OS, before EDR, before AV. Apply June dbx update now.
5,937 login failures = leaked heap memory. Session token stolen. MFA bypassed. SYSTEM in minutes. Same playbook across 6 victims. Stolen tokens survive patching — terminate all sessions now.
Autonomous LLM: initial access to encryption to ransom demand. No human at keyboard. Key displayed once, never stored. Ran on victim’s own stolen API keys.
Six-instruction race window. Root 99% of the time. Reaches Android from Chrome’s renderer sandbox. Third LPE in two weeks. No workaround — patch and reboot.
Normal prompt. MCP response. Sandbox binary overwritten. No click. Full machine. 50%+ Fortune 500. Update to Cursor 3.0 immediately.
Payload in DNS TXT record. “Claude Code never decided to open a shell. It decided to fix an error.” Affects Claude Code, Cursor, Gemini CLI.
Intelligence & Deep Dive
The DataWater Intelligence Brief
Weekly CISO-level threat analysis — breaking vulnerabilities, technical depth, zero noise.
