Bypass Record

Pre-OS Boot × Microsoft Windows Secure Boot

A publicly-reported instance of Pre-OS Boot bypassing Microsoft Windows Secure Boot, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Secure Boot

Technique

Pre-OS Boot

MITRE ATT&CK

T1542

Confidence

High

Severity

Critical

Status

poc

Disclosed

2024-04-09

Config / version noted

Not stated

Provenance

www.cve.news
disclosed 2024-04-09 · original source · via exa

Reported as

A vulnerability in Windows Secure Boot allows attackers with administrative privileges to bypass Secure Boot protections

Mechanism

The vulnerability allows loading of revoked or malicious bootloaders due to flaws in Secure Boot's validation logic. An attacker with local admin rights can replace legitimate EFI boot files (e.g., bootmgfw.efi) with a malicious version, which the system fails to block, enabling pre-OS malware execution that evades endpoint security products.

Detection & mitigation

Monitor for unexpected changes to EFI system partition files (e.g., bootmgfw.efi) and validate bootloader integrity using TPM measurements or Secure Boot logs. Apply Microsoft's updated blocklists and patches to prevent loading of revoked bootloaders.

Pre-OS Boot has also been recorded against

AMI Google Insyde Qualcomm Unisoc

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.