CVE-2024-26189
📋 TL;DR
CVE-2024-26189 is a Secure Boot security feature bypass vulnerability that allows attackers to circumvent Secure Boot protections on affected systems. This could enable loading of untrusted or malicious code during the boot process. The vulnerability affects Windows systems with Secure Boot enabled.
💻 Affected Systems
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via bootkit or rootkit installation, allowing persistent malware that survives OS reinstallation and disk formatting.
Likely Case
Bypass of Secure Boot protections to load unauthorized drivers or boot components, potentially leading to credential theft, data exfiltration, or ransomware deployment.
If Mitigated
Limited impact if Secure Boot is disabled or systems are physically secured, though this reduces overall security posture.
🎯 Exploit Status
Exploitation requires physical access or administrative privileges to modify boot configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: March 2024 security updates (KB5035853 for Windows 11, KB5035849 for Windows 10, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26189
Restart Required: Yes
Instructions:
1. Apply March 2024 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS, SCCM, or Intune. 3. Verify Secure Boot remains enabled post-update.
🔧 Temporary Workarounds
Disable Secure Boot
windowsTemporarily disable Secure Boot in UEFI firmware settings to prevent exploitation, though this reduces security.
Enable BitLocker with TPM
windowsEnable BitLocker with TPM protection to add additional boot integrity checks.
manage-bde -on C: -usedpace -rp
🧯 If You Can't Patch
- Restrict physical access to systems and implement strict administrative privilege controls.
- Implement device control policies to prevent unauthorized boot media and monitor for boot configuration changes.
🔍 How to Verify
Check if Vulnerable:
Check if March 2024 security updates are installed via 'systeminfo' command or Windows Update history.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Secure Boot is enabled in msinfo32.exe and confirm March 2024 updates are installed.📡 Detection & Monitoring
Log Indicators:
- Event ID 1015 from Secure Boot in System logs
- Unexpected changes to boot configuration in BCD store
Network Indicators:
- Unusual outbound connections during boot process
- DNS queries from boot components
SIEM Query:
EventID=1015 AND Source="Microsoft-Windows-SecureBoot" | where EventData contains "Validation failed"