CVE-2024-37973
📋 TL;DR
CVE-2024-37973 is a Secure Boot security feature bypass vulnerability that allows attackers to circumvent Secure Boot protections on affected systems. This could enable execution of unauthorized code during the boot process before the operating system loads. The vulnerability affects systems with Secure Boot enabled, primarily Windows devices.
💻 Affected Systems
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with persistent malware that survives OS reinstallation, enabling attackers to establish deep persistence and bypass all Secure Boot protections.
Likely Case
Installation of bootkits or rootkits that evade detection by security software, allowing credential theft, data exfiltration, and lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation, endpoint detection, and monitoring are in place, though the boot-level persistence remains a significant threat.
🎯 Exploit Status
Exploitation requires administrative privileges or physical access to the system. The vulnerability involves manipulating Secure Boot variables during the boot process.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2024 security updates (KB5040435 for Windows 11, KB5040431 for Windows 10, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-37973
Restart Required: Yes
Instructions:
1. Apply July 2024 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS, Configuration Manager, or Intune. 3. Restart systems after update installation. 4. Verify Secure Boot is still enabled and functioning.
🔧 Temporary Workarounds
Disable Secure Boot
windowsTemporarily disables Secure Boot protection, which mitigates the vulnerability but reduces security posture.
Access UEFI/BIOS settings during boot (usually F2, F10, or Del key)
Navigate to Boot or Security settings
Disable Secure Boot option
Save and exit
🧯 If You Can't Patch
- Implement strict administrative privilege controls and limit physical access to systems
- Deploy endpoint detection and response (EDR) solutions with bootkit detection capabilities
🔍 How to Verify
Check if Vulnerable:
Check if Secure Boot is enabled: Run 'Confirm-SecureBootUEFI' in PowerShell (returns True if enabled). Check Windows version with 'winver' and verify it's before July 2024 updates.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify July 2024 updates are installed via Settings > Windows Update > Update history. Confirm Secure Boot remains enabled with 'Confirm-SecureBootUEFI' returning True.📡 Detection & Monitoring
Log Indicators:
- Event ID 1035 in System logs indicating Secure Boot policy violations
- Unexpected changes to Secure Boot variables in firmware logs
- Boot process anomalies in Windows event logs
Network Indicators:
- Unusual outbound connections during system boot phase
- Network traffic from systems during unexpected boot times
SIEM Query:
EventID=1035 AND Source="Microsoft-Windows-Security-SPP" | where EventData contains "SecureBoot"