CVE-2026-8863: Microsoft UEFI SHIM Bootloader Secure Boot Bypass (CVSS 7.8)
CVE-2026-8863 is a Secure Boot bypass vulnerability affecting Microsoft-signed UEFI SHIM bootloaders. An attacker with administrative access or the ability to manipulate the boot process can exploit these flawed bootloaders to execute malicious code before the operating system starts, effectively bypassing Secure Boot protections. Remediation requires a specific UEFI DBX (Deny List) update to block the vulnerable bootloaders from loading.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- —
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Multiple Microsoft-sigend UEFI SHIM bootloaders are vulnerable to SecureBoot bypass. An attacker with administrative privileges or the ability to modify the boot process could use one of the vulnerable shim bootloaders to bypass Secure Boot protections and execute arbitrary code before the operating system loads. Specific UEFI DBX update is required to block these vulnerable boot loaders.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability resides in multiple Microsoft-signed SHIM bootloaders within the UEFI firmware stack. The flaw allows an entity with local administrative privileges or control over the pre-boot environment to bypass Secure Boot validation mechanisms. The SHIM bootloader, which acts as a trusted intermediary in the Secure Boot chain, fails to properly validate critical boot components, permitting arbitrary code execution during the pre-OS initialization phase. Remediation involves deploying a UEFI DBX update that adds the vulnerable bootloader hashes to the firmware deny list, preventing them from executing.
Business impact
Successful exploitation could allow attackers to install rootkits, disable security software, or establish persistent malware before the OS loads—making post-OS defenses ineffective. Organizations relying on Secure Boot as a foundational trust anchor in their firmware security posture face direct compromise. Affected systems could silently execute unauthorized code with full system privileges, undermining endpoint detection and response (EDR) capabilities and enabling supply-chain attacks. Remediation requires firmware-level updates and coordination across infrastructure, potentially causing extended downtime.
Affected systems
Systems running Microsoft-signed UEFI SHIM bootloaders are affected. The vulnerability applies to x86-64 systems that rely on SHIM for Secure Boot enforcement. Specific product versions and affected hardware platforms require verification against the vendor advisory; organizations should audit their UEFI firmware versions and bootloader configurations to determine exposure.
Exploitability
Exploitation requires local administrative privileges or direct control over the boot process (such as physical access or hypervisor-level manipulation). While the attack vector is local and user interaction is not needed, the requirement for administrative access raises the barrier—however, in cloud and virtualized environments, this may be more accessible to insider threats or compromised container escapes. The vulnerability is not known to be actively exploited in the wild as of the publication date.
Remediation
Apply the specific UEFI DBX update provided by Microsoft to block the vulnerable SHIM bootloader hashes. This firmware-level patch must be deployed to systems' UEFI settings, typically through OEM firmware updates or standalone DBX firmware capsules. Verify compatibility with your hardware platform and test in a non-production environment before broad deployment. Organizations should also audit their boot configurations and enforce firmware integrity monitoring.
Patch guidance
Obtain the UEFI DBX update directly from Microsoft or your OEM's firmware release channels. The update will add the vulnerable bootloader signatures to the UEFI deny list. Before applying: (1) document current firmware versions, (2) test the update on a representative system subset, (3) plan deployment windows to minimize downtime, and (4) verify post-patch Secure Boot functionality. Check your OEM's website for the timing and availability of this update.
Detection guidance
Monitor UEFI firmware logs and Secure Boot policy violations. Organizations can inspect the current DBX state via firmware tools or OS-level utilities (e.g., efivarfs on Linux) to confirm the vulnerable bootloaders are not present. Implement firmware attestation solutions that validate bootloader integrity at each boot. EDR and kernel-level monitoring should flag any unsigned or anomalous code execution in pre-OS contexts, though post-OS detection of pre-OS exploitation is inherently limited.
Why prioritize this
Although exploitation requires administrative privileges or boot-level access, successful compromise completely circumvents Secure Boot protections, allowing rootkit-level persistence and evasion of OS-level security controls. The high CVSS score (7.8) reflects the severity of impact: full confidentiality, integrity, and availability compromise of the system. In cloud, virtualized, and high-security environments where firmware integrity is critical to the trust model, this warrants urgent patching. Non-cloud enterprise systems with strong physical security may deprioritize slightly, but all organizations should treat firmware vulnerabilities with higher urgency than OS-level flaws.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects: local attack vector (AV:L), low attack complexity (AC:L), low privileges required (PR:L), no user interaction needed (UI:N), unchanged scope (S:U), and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The score underscores that even low-privileged local actors can achieve complete system compromise via firmware manipulation. However, real-world risk depends on the prevalence of these specific SHIM versions in your environment and the likelihood of an attacker gaining the requisite local access.
Frequently asked questions
Do I need administrative privileges to exploit this?
Yes, the vulnerability requires either local administrative access or the ability to modify the boot process (e.g., physical access, hypervisor control, or exploitation of a pre-boot vulnerability). This raises the bar but does not eliminate risk, especially in cloud/virtualized and shared-access environments.
What is a UEFI DBX update, and how is it different from a regular OS patch?
The UEFI DBX (Deny List) is a firmware-level allowlist of blocked bootloaders and binaries. Unlike OS patches, a DBX update is deployed at the firmware level and persists across OS reinstalls. It prevents vulnerable or malicious bootloaders from executing before the OS loads. This requires firmware update tools or OEM mechanisms, not standard Windows/Linux patching.
Will Secure Boot still protect me if I do not apply this DBX update?
No. Secure Boot relies on a chain of trust starting with the SHIM bootloader. If the SHIM itself is vulnerable, it can be exploited to bypass all downstream OS-level protections. Applying the DBX update is essential to re-establish that trust.
Is this vulnerability actively being exploited?
No evidence of active exploitation has been reported as of the publication date (June 2026). However, the vulnerability is disclosed and the attack requirements (local access) are not exceptionally high in certain threat models, so organizations should prioritize patching without delay.
This analysis is based on publicly available vulnerability data as of June 2026. Specific affected product versions, patch availability dates, and platform compatibility must be verified against Microsoft's official security advisory and your OEM's firmware release notes. CVE-2026-8863 has not been added to the CISA KEV catalog. Organizations should conduct internal vulnerability assessments to confirm exposure and prioritize patching according to their risk model and environment sensitivity. This explainer is provided for informational purposes and does not constitute professional security advice; engage your security vendor or internal team for deployment guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2016-20062HIGHSQL Injection in Simply Poll 1.4.1 WordPress Plugin - Unauthenticated Data Theft
- CVE-2016-20063HIGHSQL Injection in Single Personal Message 1.0.3 – Credential & Data Theft Risk
- CVE-2016-20065HIGHUnauthenticated SQL Injection in Product Catalog 8 WordPress Plugin
- CVE-2017-20243HIGHWordPress Car Park Booking Plugin SQL Injection Vulnerability
- CVE-2017-20244HIGHSQL Injection in Wow Forms WordPress Plugin v2.1 – Critical Unauth Database Extraction
- CVE-2017-20245HIGHWow Viral Signups Plugin SQL Injection Vulnerability – Analysis & Patches
- CVE-2017-20246HIGHKittyCatfish 2.2 SQL Injection Vulnerability – WordPress Plugin Security Alert
- CVE-2017-20247HIGHSQL Injection in PICA Photo Gallery 1.0