Old, Forgotten Boot Programs Left a Back Door Open Below Your Operating System
Security researchers found 11 outdated Linux boot components that Microsoft had quietly kept trusting for years. Any attacker with a copy could have slipped past a core security feature before Windows or Linux even started loading.

Key points
- ESET researchers found 11 UEFI shim bootloaders, all version 0.9 or older, that remained trusted by Microsoft's signing system despite being dangerously out of date.
- Microsoft revoked the 11 components on 9 June 2025 after ESET reported its findings, but only systems that have applied that patch are now protected.
- An attacker needed no new hacking trick to exploit these: one copy of an old boot file and basic knowledge of how the startup process works was enough.
- The flaw sits below the operating system, meaning standard security software running inside Windows or Linux would not have seen an attack at all.
- Older shims signed before 2017 may have incomplete records, making it hard to confirm every vulnerable component has been identified and blocked.
When you turn on a computer, a chain of small programs runs in a strict order before your operating system, whether Windows or Linux, ever appears on screen. Each step is supposed to check that the next one is safe and approved. ESET, a cybersecurity company, has found that 11 links in that chain were quietly rotten.
The components in question are called UEFI shim bootloaders. A shim, in this context, is a tiny program that sits between the computer's motherboard firmware (the low-level software baked into the hardware) and the Linux operating system. Its job is to act as a trusted gatekeeper during startup. Because Microsoft signs, or digitally approves, these shims, any computer configured to trust Microsoft's startup certificates will accept them.
The problem: these 11 shims were version 0.9 or earlier, many generations behind current software. Some were configured to launch older, flawed versions of a second-stage loader called GRUB2. Others simply lacked protections that newer versions include. All of them remained trusted.
Could someone actually use this to attack a real machine?
Yes, and without needing any sophisticated hacking technique. ESET researcher Martin Smolár put it plainly: an attacker needed only a copy of one of these old, approved boot files and a basic understanding of how the startup sequence works. No novel flaw. No complex code. Just an old file that should have been retired.
Because an attack would happen before the operating system loads, security software running inside the computer, the kind that watches for viruses or unusual behaviour, would be looking at the wrong layer entirely. The attack would already be done.
This matters most for nation-state hackers, the kind backed by governments, who often want to sit quietly inside a system for months, collecting information, rather than cause immediate visible damage. A foothold this deep is almost invisible.
Microsoft's revocations on 9 June are the correct response. But revocation only protects machines that have received and applied that update. In large organisations, hospitals, factories, and government agencies, updating firmware, the deep software inside hardware, takes far longer than installing a normal app update. Expect many systems to remain exposed for months.
What affected organisations should do
Apply Microsoft's June 2025 Secure Boot revocation update as a priority. Check whether any machines use the "Microsoft Corporation UEFI CA 2011" signing certificate and audit which boot components those machines trust. On Windows 11 Secured-core PCs, the third-party UEFI signing option should already be off by default: confirm that is the case. Organisations running Linux on enterprise hardware should verify their shim versions are current and check with their Linux distribution vendor for guidance.



