HIGH 7.9

CVE-2026-48573: Windows Secure Boot Bypass

A vulnerability in Windows Secure Boot allows someone with high-level local access to bypass a key security feature that prevents unauthorized code from running during system startup. The flaw affects multiple versions of Windows 10, Windows 11, and Windows Server. While an attacker needs elevated privileges to exploit it, successful exploitation could allow them to circumvent protections that are meant to ensure only trusted software loads at boot time.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.9 HIGH · CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Weaknesses (CWE)
CWE-1329
Affected products
24 configuration(s)
Published / Modified
2026-06-09 / 2026-07-09

NVD description (verbatim)

No cwe for this issue in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-48573 is a Secure Boot bypass vulnerability (CWE-1329: Improper Restriction of Rendered UI Layers or Frames) affecting the Windows boot security architecture. The vulnerability requires high privilege (PR:H) and local access (AV:L) but operates with low complexity (AC:L) and no user interaction. It enables an authorized attacker to subvert Secure Boot integrity controls, potentially establishing persistence or executing arbitrary code during the early boot phase when many traditional defenses are offline. The CVSS 3.1 vector reflects the broad scope impact (S:C) with high confidentiality and integrity consequences.

Business impact

Secure Boot bypass creates a pathway to persistent system compromise that ordinary runtime security tools cannot detect or prevent. An attacker who successfully exploits this can establish firmware-level persistence, survive OS reinstalls, and operate below the visibility of endpoint detection and response (EDR) solutions. For enterprises, this threatens regulatory compliance (especially in regulated industries requiring Measured Boot validation) and increases risk of advanced targeted attacks. Organizations running vulnerable versions face elevated risk of data exfiltration, lateral movement, and supply-chain compromise if Secure Boot is part of their trust model.

Affected systems

The vulnerability spans a wide installed base: Windows 10 builds 1607, 1809, 21H2, and 22H2; Windows 11 builds 23H2, 24H2, 25H2, and 26H1; and Windows Server editions 2012 through 2025. This broad coverage means most organizations with active Windows infrastructure likely have affected systems. Both client and server variants are impacted, indicating the flaw exists in shared Windows core components rather than OS-specific code paths.

Exploitability

Exploitation requires high privilege context (administrator or system-level access), which limits the attacker pool in well-hardened environments but does not eliminate risk. Once an attacker achieves elevated privileges through other means—phishing, supply-chain compromise, insider access, or exploitation of a separate vulnerability—they can leverage this flaw without user interaction. The low attack complexity means the exploit path is straightforward once the privilege threshold is met. The vulnerability is not currently listed on the CISA KEV catalog, suggesting in-the-wild exploitation has not been widely documented at the time of publication, but organizations should not rely on low visibility as a control.

Remediation

Patch deployment is the primary remediation. Contact Microsoft security updates directly or consult official Windows security advisories for patch availability against affected builds. Organizations unable to patch immediately should implement compensating controls: enforce UEFI firmware updates from device manufacturers, enable Enhanced Code Signing in Secure Boot where available, restrict local administrator account privileges, and use hardware security features such as TPM for attestation. Monitor firmware integrity through automated tools and establish firmware access logging if supported by hardware.

Patch guidance

Verify patch availability for your specific Windows version through Microsoft's official security update channels. Windows 10 and Windows 11 users should check Windows Update or the Microsoft Update Catalog for the corresponding monthly or out-of-band patch. Windows Server administrators should consult the Microsoft Security Update Guide and test patches in a non-production environment before broad deployment, given the boot-critical nature of Secure Boot changes. Firmware-level patches from hardware vendors may also be necessary; coordinate with your OEM. Document patch testing and deployment to meet compliance audit requirements.

Detection guidance

Detection of post-exploitation artifacts is more practical than preventing exploitation: monitor for unsigned kernel modules loaded during early boot, use Measured Boot logs to identify deviations from known-good boot configurations, and audit firmware modification events if your hardware platform supports firmware event logging. UEFI/firmware audit tools from vendors like Microsoft (Get-SecureBootUEFI) and third-party EDR providers can flag unexpected boot configuration changes. Organizations with vulnerability scanning tools should prioritize Secure Boot validation checks in their scanning policies. Threat hunting should focus on administrator activity targeting bootloader or firmware interfaces.

Why prioritize this

This vulnerability merits high priority because it directly undermines a foundational security boundary—the boot chain—that most organizations assume is protected. The high CVSS score (7.9) reflects broad scope and high impact. While exploitation requires elevated privileges, obtaining those privileges is a routine intermediate step in multi-stage attacks. The wide affected product base means patch management complexity is high. For regulated industries and organizations with strong administrator privilege controls, prioritize patching systems in high-risk roles (domain controllers, identity providers, privileged access workstations).

Risk score, explained

The CVSS 3.1 score of 7.9 (HIGH severity) is driven by: local attack vector (reduces likelihood but not impact), high privilege requirement (limits attacker pool but reflects organizational risk), changed scope (exploitable from one security context affecting protected resources), and high impact on both confidentiality and integrity. The absence of availability impact (A:N) reflects that the vulnerability is a bypass rather than a denial-of-service. The score appropriately reflects the asymmetry: not every organization can be exploited, but those compromised at this layer face severe consequences.

Frequently asked questions

Do I need to patch immediately if we have strong administrator privilege controls?

Strong controls reduce but do not eliminate risk. Insider threats, lateral movement from compromised high-privilege accounts, and multi-stage attacks chaining lower-privilege exploits can still reach the administrator level needed for this flaw. Patching remains essential; tight privilege controls are a complementary layer, not a substitute.

Will antivirus or EDR solutions detect exploitation of this vulnerability?

Traditional endpoint tools struggle to detect Secure Boot-level exploitation because it occurs before the OS fully loads and before most security agents are active. EDR solutions with firmware monitoring or Measured Boot integration offer better visibility, but detection is not guaranteed. Prevention through patching is more reliable than detection.

Does this vulnerability require physical access or local user access to trigger?

The vulnerability is rated as local access (AV:L), meaning the attacker must have code execution on the target system, typically requiring a local user account or administrator context. Physical access to the UEFI settings is not necessary, but the attacker must already have a foothold on the device.

Why is this not on the CISA KEV catalog yet?

KEV inclusion is based on evidence of active exploitation in the wild. The lack of KEV status does not mean the vulnerability is low-risk; it reflects that widespread exploitation has not been reported or confirmed. Organizations should not delay patching based on KEV absence, especially given the high CVSS and sensitivity of the affected component.

This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. Patch versions, availability timelines, and vendor guidance are subject to change; verify current patch status directly with Microsoft security advisories before making deployment decisions. This vulnerability has not been confirmed as actively exploited at scale as of publication. Organizations should conduct their own risk assessment based on their specific infrastructure, privilege models, and compliance requirements. SEC.co assumes no liability for decisions made based on this analysis. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).