CVE-2026-45654: Windows Secure Boot Access Control Bypass – CVSS 7.9 HIGH
Windows Secure Boot, a critical firmware-level security mechanism, contains an access control flaw that allows a high-privileged local attacker to circumvent its protections. Secure Boot is designed to ensure that only trusted code runs during system startup; this vulnerability permits an authorized user with administrative or equivalent rights to bypass those protections, potentially allowing unsigned or malicious code to execute at boot time. The issue affects recent Windows 11 versions and Windows Server 2025.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.9 HIGH · CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-284
- Affected products
- 7 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Improper access control in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45654 stems from improper access control in the Windows Secure Boot implementation (CWE-284). The vulnerability requires local access and high-level privileges (PR:H) to exploit, but once leveraged, it enables an attacker to disable or circumvent Secure Boot's verification mechanisms. This allows execution of code that would normally be blocked by the boot integrity checks. The attack surface is local-only (AV:L) with no user interaction required, and the impact extends beyond the compromised user context (scope change), affecting system-level integrity and confidentiality.
Business impact
Exploitation could lead to persistent system compromise at the firmware level. An attacker could install boot-level rootkits, disable endpoint detection and response (EDR) solutions that rely on Secure Boot attestation, or establish a foothold resistant to operating system reinstallation. For enterprises, this is particularly concerning in zero-trust architectures that depend on Secure Boot and measured boot integrity for device compliance verification. Affected systems lose a foundational trust anchor.
Affected systems
Windows 11 versions 24H2, 25H2, and 26H1 are vulnerable, along with Windows Server 2025. Organizations running these releases in administrative environments—particularly those managing critical infrastructure, development systems, or high-privilege user workstations—should prioritize inventory and patching. Older Windows 10 versions do not appear on the affected list; verify your deployed versions against the official Microsoft advisory.
Exploitability
The vulnerability requires high privileges (administrator or equivalent) to trigger, which limits the immediate attack surface to insider threats, compromised administrative accounts, or multi-stage attacks where lower-privilege code is already present. However, the high-privilege requirement should not be underestimated in environments where service accounts, developers, or contractors hold local admin rights. Once exploited, the impact is severe: Secure Boot is permanently or persistently bypassed until firmware is reset or patched.
Remediation
Apply security updates from Microsoft as they become available. Verify patch applicability through your Microsoft Software Update Guide or advisory pages; do not rely solely on CVE identifiers for version certainty. In parallel, enforce administrative access controls: restrict local administrator group membership, require multi-factor authentication for privileged accounts, and use credential guard or other hardware-backed protections on applicable systems. Monitor for attempts to disable or modify Secure Boot settings in audit logs.
Patch guidance
Monitor Microsoft's Security Update Guide and MSRC advisories for patches addressing CVE-2026-45654. When available, patches will likely be distributed through Windows Update for consumer editions and WSUS for server deployments. Test patches in a staging environment first, particularly on systems where Secure Boot attestation is critical to compliance workflows. Confirm that your firmware and UEFI implementation are also up-to-date; some Secure Boot protections depend on firmware-level code. Coordinate with hardware vendors if UEFI/firmware updates are needed.
Detection guidance
Monitor Windows event logs for Secure Boot configuration changes (Event ID 4944 and related admin events). Look for attempts to disable Secure Boot through PowerShell, Windows Management Instrumentation (WMI), or UEFI variable modifications. Endpoint detection and response solutions should track suspicious modifications to boot configuration data (BCD) or attempts to load unsigned drivers. Additionally, monitor firmware access logs if your hardware platform supports them. In zero-trust environments, flag any deviations from expected Secure Boot state during device trust attestation.
Why prioritize this
This vulnerability rates HIGH severity (CVSS 7.9) and directly undermines a foundational security feature. Although it requires high privileges, the scope of impact is system-wide and affects boot integrity—a control that many organizations depend on for compliance and threat detection. Prioritize patching on systems where Secure Boot attestation is essential to your security posture, insider threat is a concern, or privileged users access sensitive data.
Risk score, explained
The CVSS 3.1 score of 7.9 reflects the combination of local-only attack vector, high-privilege requirement, but widespread confidentiality and integrity impact across system scope. The score correctly captures that the vulnerability is serious but not immediately exploitable by remote or unprivileged attackers. Organizations in highly regulated or zero-trust environments should treat this as critical despite the privilege requirement, since boot-level compromise is difficult to detect and remediate.
Frequently asked questions
Can a user without administrator rights exploit this vulnerability?
No. The vulnerability requires high-level privileges (administrator or equivalent) to trigger. However, if an attacker gains admin rights through credential theft, malware infection, or other means, they can then exploit this flaw to establish a persistent, harder-to-remove foothold.
Does this vulnerability allow remote code execution?
No, the attack vector is strictly local. An attacker must have access to the system and elevated privileges. It does not enable remote exploitation over the network.
If I apply a patch, will my Secure Boot settings be restored?
Patching will fix the vulnerability, but it does not automatically reset Secure Boot if an attacker has already modified it. After patching, verify that Secure Boot is still enabled in your firmware settings and that no unsigned boot drivers have been loaded.
How does this compare to other Secure Boot vulnerabilities?
Secure Boot flaws are inherently serious because they target trust at startup. This vulnerability is localized to improper access control, making it more limited in scope than some firmware exploits that allow arbitrary code execution from the start. The privilege requirement is a mitigating factor, but the impact—once exploited—is severe and persistent.
This analysis is based on publicly disclosed vulnerability data current as of July 2026. Patch availability, version numbers, and exploitation timelines are subject to change. Always verify affected product versions and patch applicability through official Microsoft advisories before remediation. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence relative to your environment. This page is for informational purposes and does not constitute professional security advice. Consult your security team and vendor advisories for organizational risk assessment and deployment decisions. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11179HIGHChrome ORB Site Isolation Bypass (CVSS 8.8)
- CVE-2026-41092HIGHMicrosoft Kinect Local Privilege Escalation Vulnerability
- CVE-2026-42829HIGHWindows 11 Administrator Protection Bypass (CVSS 7.8 HIGH)
- CVE-2026-45649HIGHOffice for Android Access Control Flaw Enables Document Spoofing
- CVE-2026-45658HIGHWindows BitLocker Access Control Bypass Vulnerability
- CVE-2026-11017MEDIUMChrome Link Preview Navigation Bypass (CVSS 6.5)
- CVE-2026-11026MEDIUMChrome Extension Navigation Bypass Vulnerability
- CVE-2026-11078MEDIUMChrome FileSystem Same-Origin Policy Bypass – MEDIUM Severity