CVE-2024-28920
📋 TL;DR
CVE-2024-28920 is a Secure Boot security feature bypass vulnerability that allows attackers to bypass Secure Boot protections on affected systems. This could enable loading of untrusted or malicious code during the boot process. The vulnerability affects Windows systems with Secure Boot enabled.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of system integrity from boot, allowing persistent malware installation that survives OS reinstallation and disk formatting.
Likely Case
Attackers bypass Secure Boot to load bootkits or rootkits that evade detection and maintain persistence.
If Mitigated
Limited impact with proper patch management and Secure Boot enforcement, though physical access risks remain.
🎯 Exploit Status
Exploitation requires administrative privileges or physical access to the system. Secure Boot bypass vulnerabilities typically require sophisticated exploitation techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: April 2024 security updates - KB5036893 for Windows 11, KB5036892 for Windows 10, etc.
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28920
Restart Required: Yes
Instructions:
1. Apply April 2024 Windows security updates via Windows Update. 2. For enterprise: Deploy through WSUS, Configuration Manager, or Microsoft Intune. 3. Verify Secure Boot remains enabled after update. 4. Restart system to complete installation.
🔧 Temporary Workarounds
Enable Secure Boot Enforcement
windowsEnsure Secure Boot is properly configured and enforced in UEFI firmware settings
Restrict Physical Access
allImplement physical security controls to prevent unauthorized access to systems
🧯 If You Can't Patch
- Implement strict physical security controls and access monitoring
- Use device control policies to prevent unauthorized boot media usage
- Enable BitLocker with TPM protection to detect boot process tampering
- Monitor for unexpected Secure Boot policy changes or boot failures
🔍 How to Verify
Check if Vulnerable:
Check if system has April 2024 security updates installed. Run: Confirm-SecureBootUEFI in PowerShell to verify Secure Boot status.Check Version:
Run 'systeminfo' or 'winver' to check Windows version and update statusVerify Fix Applied:
Verify April 2024 security updates are installed via Windows Update history or 'winver' command. Confirm Secure Boot remains enabled.📡 Detection & Monitoring
Log Indicators:
- Secure Boot policy changes in System logs
- Unexpected boot failures or recovery events
- Changes to boot configuration data (BCD)
Network Indicators:
- Unusual outbound connections during boot process (difficult to detect)
SIEM Query:
EventID=12 from source 'Microsoft-Windows-Kernel-Boot' with Secure Boot status changes OR EventID=1001 from source 'Microsoft-Windows-WER-SystemErrorReporting' for boot failures