The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the National Security Agency (NSA), has issued new guidance urging enterprises to verify and manage UEFI Secure Boot configurations to counter bootkit threats.
Released in December 2025 as a Cybersecurity Information Sheet (CSI), the document addresses vulnerabilities like PKFail, BlackLotus, and BootHole that bypass boot-time protections. Enterprises neglecting these checks face heightened risks from persistent firmware malware.
UEFI Secure Boot, introduced in 2006, enforces boot policies using certificates and hashes in four variables: Platform Key (PK), Key Exchange Key (KEK), allowed database (DB), and revocation database (DBX).
It prevents unsigned boot binaries, mitigating supply chain risks during the transition from expiring 2011 Microsoft certificates to 2023 versions. While default settings on most devices block unknown malware, misconfigurations often from test keys or disabled modes, expose systems.
Highlighted Vulnerabilities
PKFail involved devices shipped with untrusted test certificates, enabling Secure Boot bypasses. BlackLotus (CVE-2023-24932) exploited bootloader flaws to disable enforcement despite status indicators showing it was active.
BootHole flaws in GRUB allowed arbitrary execution via malformed configs, overwhelming DBX memory on older hardware. These incidents underscore the need for routine audits beyond TPM or BitLocker reliance.
Administrators should first confirm enforcement: Windows users run Confirm-SecureBootUEFI in PowerShell (True indicates active); Linux users use sudo mokutil –sb-state.
Export variables with Get-SecureBootUEFI or efi-readvar, then analyze using NSA’s GitHub tools for certs/hashes. Expected setups feature system vendor PK/KEK, Microsoft 2011/2023 CAs in DB, and DBX hashes no test keys or permissive modes.
| Component | Expected Configuration | Improper Indicators |
|---|---|---|
| PK | System vendor certificate | Absent or test keys |
| KEK | Vendor + Microsoft 2011/2023 | Missing Microsoft KEKs |
| DB | Microsoft CAs + vendor | Empty or misplaced certs |
| DBX | Revocation hashes | Boot hashes or duplicates |
Restore via UEFI setup to factory defaults or apply firmware/OS updates delivering capsules. For enterprises, integrate checks into procurement testing and SCRM processes.
NSA advises customization over disabling for stricter controls, with tools on GitHub. The guidance stresses full auditing modes and avoiding the Compatibility Support Module (CSM).
This CSI equips IT teams to safeguard boot integrity amid evolving threats. Download the full PDF from official sources for commands and diagrams.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
