Eleven Old Microsoft-Signed Boot Files Could Let Hackers Slip Past Secure Boot
Researchers say the signed UEFI applications, still trusted by most PCs, can be used to load malicious code before Windows even starts.

Key points
- Researchers found 11 old Microsoft-signed UEFI applications that can be abused to bypass Secure Boot on most modern PCs.
- UEFI is the low-level software that starts your computer before Windows loads, and Secure Boot is meant to block untrusted code at that stage.
- Attackers who exploit these files can install bootkits, a type of malware that hides beneath the operating system and survives reinstalls.
- The files are legitimately signed by Microsoft, so machines accept them by default until the signatures are revoked.
- Fixing this requires Microsoft to add the affected files to a revocation list that PCs check at boot.
Security researchers have flagged 11 old boot files, digitally signed by Microsoft, that can be twisted into a way past Secure Boot on almost any modern computer.
Secure Boot is the check your PC runs the moment you press the power button. It looks at the software about to load and refuses anything that isn't signed by a trusted party. Microsoft is one of those trusted parties.
That is the problem here.
The 11 files in question are real Microsoft-signed programs, known as UEFI applications. UEFI, short for Unified Extensible Firmware Interface, is the modern replacement for the old BIOS: it is the first code that runs when a computer turns on. Because these 11 files carry a valid Microsoft signature, Secure Boot lets them through without complaint.
Once loaded, according to reporting from The Hacker News, the files can be tricked into running untrusted code during startup. In plain terms, a hacker who already has a foothold on a machine can drop one of these signed files onto it, point the boot process at it, and use it as a launch pad for their own malware.
What could an attacker actually do with this?
They could install a bootkit, malware that hides underneath Windows itself and loads before any antivirus wakes up. Bootkits are prized by criminals and spies because they are extremely hard to detect and often survive a full reinstall of the operating system. Wiping the drive does not remove them.
The attacker needs some level of access to the machine first. This is not a flaw that lets someone break in from the internet with a single click. It is a flaw that lets an intruder who already has a foothold dig in deep and stay there.
That matters for businesses, government agencies and anyone running high-value systems. Once a bootkit is planted, the machine cannot really be trusted again.
How does this get fixed?
The repair path runs through Microsoft. When a signed file turns out to be dangerous, Microsoft adds its fingerprint to a revocation list called the DBX, which every Secure Boot PC checks on startup. Once the DBX is updated, the vulnerable files stop loading.
Those updates arrive through normal Windows Update channels. Linux users get them through their distribution's firmware update tool, most commonly fwupd.
Historically, Microsoft has been cautious about pushing DBX updates broadly. Revoke the wrong file and you can leave machines unable to boot at all. Recovery tools, installer USBs and older Linux boot loaders have all been caught in past sweeps. Expect a staged rollout.
What should ordinary users do?
Install updates. That is the honest answer.
Keep Windows Update on and let firmware updates through when your PC maker offers them. On Linux, run your system's firmware updater. If you manage machines at work, watch for Microsoft's next DBX advisory and test it before pushing it fleet-wide, because a bad revocation can brick laptops.
There is no sign yet that these specific files have been used in real attacks. But signed bypasses like this tend to end up in criminal toolkits eventually. The BlackLotus bootkit, disclosed in 2023, followed exactly that pattern.
The fix is boring. It is also the only one that works.



