HIGH 7.9

CVE-2026-48575: Windows Secure Boot Protection Mechanism Failure – HIGH Severity

Windows Secure Boot, a critical firmware security feature designed to prevent unauthorized code execution during system startup, contains a protection mechanism failure that an authorized attacker can exploit locally. An attacker with administrative privileges can bypass Secure Boot controls, potentially allowing them to load unauthorized code at the lowest system level. The vulnerability affects multiple versions of Windows 10 and Windows 11, as well as Windows Server editions spanning 2012 through 2025.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.9 HIGH · CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Weaknesses (CWE)
CWE-693
Affected products
24 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-48575 is a protection mechanism failure (CWE-693) in the Windows Secure Boot implementation. The vulnerability allows an authenticated local attacker with high privileges to circumvent Secure Boot's integrity verification mechanisms, enabling the execution of untrusted firmware or bootloader code. The CVSS 3.1 score of 7.9 (HIGH) reflects the local attack vector, high privilege requirement, but significant scope and confidentiality/integrity impact. The attack requires no user interaction and can affect system confidentiality and integrity across the entire system boundary.

Business impact

Successful exploitation enables attackers with administrative access to establish persistent, low-level code execution that can survive operating system reinstallation and remain undetected by conventional endpoint security tools. This represents a stepping stone toward advanced persistence, firmware rootkits, or supply-chain attacks. Organizations operating secure-boot-dependent environments—such as those in healthcare, finance, or critical infrastructure—face elevated risk of sophisticated compromise and forensic evasion.

Affected systems

The vulnerability impacts a broad range of Windows platforms: Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; and Windows Server editions 2012, 2016, 2019, 2022, and 2025. Given the breadth of affected versions spanning multiple OS families and extended support timelines, patch deployment will require significant coordination across diverse environments.

Exploitability

Exploitation requires local system access and administrative privileges, significantly limiting the attacker pool to insiders, malware with escalated rights, or adversaries who have already compromised local authentication. The attack vector and privilege requirement place this in the 'difficult but not impossible' category for motivated threat actors. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting no active exploitation in the wild at publication, though the firmware-level nature of the flaw makes it attractive for advanced persistent threat (APT) operations.

Remediation

Microsoft has issued security updates addressing this vulnerability. Organizations should consult Microsoft's official security bulletin for the specific patch versions applicable to their Windows 10, Windows 11, and Windows Server editions. Patches should be prioritized based on asset criticality and exposure. Given the administrative privilege requirement, compensating controls such as firmware attestation, privileged access management (PAM), and behavioral monitoring for suspicious firmware manipulation can reduce risk while patches are staged.

Patch guidance

Apply the latest security updates from Microsoft for your specific Windows edition and version. Windows 10 users should update to the latest cumulative update for their respective version (1607, 1809, 21H2, or 22H2). Windows 11 users should update to the latest available patch for their version (23H2, 24H2, 25H2, or 26H1). Windows Server administrators should apply the June 2026 security updates and later for Server 2012, 2016, 2019, 2022, and 2025. Verify patch status through Windows Update or WSUS, and test patches in non-production environments before broad deployment given the firmware-level nature of the fix.

Detection guidance

Monitor for suspicious Secure Boot configuration changes, failed Secure Boot validation events in the Windows Event Log (System channel, Event ID 64), and unauthorized UEFI/firmware access attempts. Endpoint Detection and Response (EDR) tools should flag attempts to disable Secure Boot or modify firmware settings by non-authorized processes. Firmware attestation solutions that verify boot integrity against known-good baselines can detect post-exploitation persistence. Organizations should also audit administrative command execution and use of firmware management utilities on sensitive systems.

Why prioritize this

While the privilege requirement limits immediate exploitability, the firmware-level impact and breadth of affected products warrant expedited remediation. This vulnerability represents a high-value target for nation-state and financially motivated APTs seeking durable persistence mechanisms. Organizations should prioritize patching internet-facing servers, Domain Controllers, and systems handling sensitive data ahead of general client deployments. The presence of the vulnerability across Windows 10 extended support, Windows 11, and legacy Windows Server versions complicates patching logistics and extends the attack window if updates are delayed.

Risk score, explained

The CVSS 3.1 HIGH score (7.9) reflects the significant confidentiality and integrity impact balanced against the mandatory local, high-privilege attack precondition. The scope is changed, meaning the vulnerability can affect system components beyond the security feature itself (firmware execution context). However, the lack of availability impact and the steep privilege barrier prevent a CRITICAL rating. Organizations should treat this as higher priority than the numeric score alone suggests, given the firmware-level nature and difficulty of detecting exploitation post-compromise.

Frequently asked questions

Why does this vulnerability require administrative privileges if Secure Boot is supposed to protect the system?

Secure Boot is designed to prevent unauthorized code from executing during the initial boot sequence before the OS loads. This flaw allows an attacker who already has administrative control of the running operating system to bypass those protections retroactively—for example, to install a bootkit that persists across OS reinstalls. The privilege requirement reflects that you must first have OS-level access; the vulnerability then grants you firmware-level access, which is a significant escalation.

If I'm using Windows 10 version 1607, am I still at risk?

Yes. CVE-2026-48575 affects Windows 10 version 1607 and multiple other versions spanning 1607 through 22H2. Version 1607 is in extended support; you should apply the latest security updates available for that version. If 1607 is reaching end-of-support in your deployment timeline, consider this as additional motivation to upgrade to a supported version such as 22H2 or Windows 11.

Is there an exploit publicly available for this vulnerability?

No. As of the publication date, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, indicating no confirmed active exploitation in the wild. However, the firmware-level nature makes it attractive for sophisticated threat actors, so you should not assume the lack of public exploits means low risk. Apply patches promptly and monitor for suspicious activity.

What's the difference between this and a BIOS update, and how should I deploy the fix?

This vulnerability is fixed through a Windows security update (operating system patch), not a BIOS/UEFI firmware update from your hardware vendor. Deploy it through Windows Update, WSUS, or Microsoft Update, the same as you would any monthly security patch. Firmware updates from your OEM may include additional Secure Boot improvements, but the remediation for CVE-2026-48575 comes through the OS patch. Test in a lab environment first to ensure compatibility with your systems and third-party security tools.

This analysis is provided for informational purposes and represents SEC.co's professional assessment based on available vulnerability data as of the publication date. Patch versions, affected build numbers, and remediation timelines should be verified against Microsoft's official security advisories and your organization's patch management processes. Exploitability and risk will vary based on system configuration, network exposure, and attacker capability. This document does not constitute legal or compliance advice. Organizations should consult their security and compliance teams to determine prioritization within their specific risk and regulatory context. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).