CVE-2024-26175
📋 TL;DR
CVE-2024-26175 is a Secure Boot security feature bypass vulnerability that allows attackers to circumvent Secure Boot protections on affected systems. This could enable loading of untrusted or malicious code during the boot process. The vulnerability affects systems with Secure Boot enabled, primarily Windows devices.
💻 Affected Systems
- Windows Secure Boot
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via bootkit or rootkit installation, allowing persistent malware that survives OS reinstallation and disk formatting.
Likely Case
Attackers bypass Secure Boot to load malicious drivers or boot components, enabling privilege escalation or persistence mechanisms.
If Mitigated
Attackers can bypass Secure Boot but still face other security layers like HVCI, memory protections, and application control policies.
🎯 Exploit Status
Exploitation requires administrative privileges or physical access to the system. Attackers need to modify boot components or firmware settings.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: March 2024 security updates (KB5035853 for Windows 11, KB5035849 for Windows 10, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26175
Restart Required: Yes
Instructions:
1. Install March 2024 Windows security updates via Windows Update. 2. For enterprise: Deploy through WSUS, Microsoft Endpoint Configuration Manager, or Microsoft Intune. 3. Verify Secure Boot is still enabled after update. 4. Consider updating UEFI firmware if vendor provides updates.
🔧 Temporary Workarounds
Enable HVCI (Hypervisor-Protected Code Integrity)
windowsAdds additional memory integrity protections that can help mitigate exploitation even if Secure Boot is bypassed.
powershell -Command "Set-ProcessMitigation -System -Enable HypervisorEnforcedCodeIntegrity"
Enable Windows Defender Application Control
windowsRestricts which applications and code can run, providing defense-in-depth against malicious boot components.
Deploy via Group Policy or Intune: Computer Configuration > Administrative Templates > System > Device Guard
🧯 If You Can't Patch
- Restrict physical access to critical systems and implement strict access controls
- Enable BitLocker with TPM+PIN to protect against offline attacks even if Secure Boot is bypassed
🔍 How to Verify
Check if Vulnerable:
Check if March 2024 security updates are installed via: powershell "Get-HotFix | Where-Object {$_.HotFixID -like 'KB50358*'}"Check Version:
powershell "systeminfo | findstr /B /C:"OS Name" /C:"OS Version""Verify Fix Applied:
Verify Secure Boot status: powershell "Confirm-SecureBootUEFI" should return True, and check that March 2024 updates are installed.📡 Detection & Monitoring
Log Indicators:
- Event ID 1035 from Code Integrity in Windows Logs > Applications and Services > Microsoft > Windows > CodeIntegrity > Operational
- Unexpected Secure Boot policy changes in System logs
- Boot configuration changes in UEFI/BIOS logs
Network Indicators:
- Not applicable - local exploitation only
SIEM Query:
EventID=1035 AND (Message contains "Secure Boot" OR Message contains "boot integrity")