Categories: Cyber Security News

Microsoft Warns Secure Boot May Be Bypassed as Windows UEFI Certificates Expire

Microsoft has addressed a critical security feature bypass vulnerability in Windows Secure Boot certificates, tracked as CVE-2026-21265, through its January 2026 Patch Tuesday updates.

The flaw stems from expiring 2011-era certificates that underpin Secure Boot’s trust chain, potentially allowing attackers to disrupt boot integrity if unpatched.

Rated Important with a CVSS v3.1 base score of 6.4, the issue requires local access, high privileges, and high attack complexity, making exploitation less likely.msrc.microsoft+4

CVE-2026-21265 arises because Microsoft certificates stored in UEFI KEK and DB are nearing expiration dates in mid-2026, risking Secure Boot failure without updates.

Firmware defects in the OS’s certificate update mechanism can disrupt the trust chain, compromising Windows Boot Manager and third-party loaders. Publicly disclosed but not yet exploited in the wild, Microsoft urges immediate deployment of 2023 replacement certificates.

Three key 2011 certificates must be renewed to sustain Secure Boot:

Certificate Authority	Location	Purpose	Expiration Date
Microsoft Corporation KEK CA 2011	KEK	Signs updates to DB and DBX	06/24/2026
Microsoft Corporation UEFI CA 2011	DB	Signs 3rd party boot loaders, Option ROMs	06/27/2026
Microsoft Windows Production PCA 2011	DB	Signs the Windows Boot Manager	10/19/2026

Failure to update exposes devices to boot-time attacks, as noted in Microsoft’s November 2025 advisory.

Affected Systems and Patches

Patches target legacy Windows Server and extended-support editions, all marked as customer action required.

Product	KB Article	Build Number	Update Type
Windows Server 2012 R2 (Core)	5073696	6.3.9600.22968	Monthly Rollup
Windows Server 2012 R2	5073696	6.3.9600.22968	Monthly Rollup
Windows Server 2012 (Core)	5073698	6.2.9200.25868	Monthly Rollup
Windows Server 2012	5073698	6.2.9200.25868	Monthly Rollup
Windows Server 2016 (Core)	5073722	10.0.14393.8783	Security Update
Windows Server 2016	5073722	10.0.14393.8783	Security Update
Windows 10 Version 1607 x64	5073722	10.0.14393.8783	Security Update
Windows 10 Version 1607 x86	5073722	10.0.14393.8783	Security Update

Organizations with IT-managed or Microsoft-managed updates should prioritize deployment. Verify firmware compatibility to avoid post-patch boot issues.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Microsoft Warns Secure Boot May Be Bypassed as Windows UEFI Certificates Expire appeared first on Cyber Security News.

CISA Releases Guidance for Managing UEFI Secure Boot on Enterprise Devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the National Security Agency (NSA), has issued new guidance urging enterprises to verify and manage UEFI Secure Boot configurations to counter bootkit threats. Released in December 2025 as a Cybersecurity Information Sheet (CSI), the document addresses vulnerabilities like PKFail,…

December 15, 2025

In "Cyber Security News"

CISA Publishes New Guidance for Managing UEFI Secure Boot in Enterprises

The National Security Agency has released comprehensive guidance for managing UEFI Secure Boot configurations on enterprise devices, addressing critical vulnerabilities that have exposed organizations to bootkit threats and persistent firmware attacks. The document, issued in December 2025, provides detailed instructions for system administrators to validate and recover from Secure Boot…

December 12, 2025

In "Cyber Security News"

Microsoft Releases Critical WinRE & Setup Updates Before 2026 Secure Boot Certificate Expiry

Microsoft has rolled out a critical Setup Dynamic Update designated KB5081494 for Windows 11 versions 24H2 and 25H2, released on March 26, 2026. The patch introduces essential improvements to Windows setup binaries and supplementary files used during feature updates, positioning it as a key preparatory measure before a major cryptographic deadline strikes…

March 30, 2026

In "Cyber Security News"

rssfeeds-admin