On June 24, key Microsoft-signed certificates that underpin Secure Boot authentication will expire, raising concerns about the vulnerability of Windows and Linux systems to persistent firmware-level malware known as bootkits.
- Secure Boot certificates expire June 24, risking boot-level security
- Bootkits infect firmware, persist through OS reinstalls
- Recent vulnerabilities expose weaknesses in UEFI boot protections
What happened
Starting June 24, three Microsoft-issued certificates that verify the authenticity of each firmware component loaded during the boot process will expire. These certificates are foundational to Secure Boot, a security standard designed to ensure that all startup firmware and software originate from trusted manufacturers. Without valid certificates, the chain of trust may be broken, potentially allowing unauthorized or malicious code to load before the operating system.
Bootkits are a form of malware that target the Unified Extensible Firmware Interface (UEFI), the modern replacement for legacy BIOS systems. Because they execute before the OS, bootkits can embed themselves deeply and stealthily, surviving even complete OS reinstallations. Over the past two decades, bootkits have evolved from early BIOS threats to advanced firmware-level infections such as the Kremlin-linked LoJax malware discovered in 2018.
Why it matters
Secure Boot is designed to block bootkits by cryptographically verifying each element of the startup sequence. Expiration of the certificates that validate this process could introduce vulnerabilities by allowing invalid or malicious firmware to run unchecked. This undermines a critical layer of defense, enabling sophisticated attacks that compromise system integrity at the firmware level.
Historically, bootkits have been difficult to detect and remove because they operate below the OS. They can facilitate credential theft, persistent backdoors, and other malicious activities that persist across system wipes. With recent discoveries like the LogoFail vulnerability highlighting weaknesses in UEFI security worldwide, the expiration of Secure Boot certificates could exacerbate threat risks for both Windows and Linux users.
What to watch next
Device manufacturers, operating system vendors, and security teams will need to update and replace expiring certificates promptly to maintain Secure Boot protections. Users should ensure that firmware and software updates are applied as part of regular maintenance to protect against firmware-level attacks.
Security researchers and enterprises will be closely monitoring for any exploitation attempts leveraging expired certificates. Continued advances in detecting and mitigating UEFI bootkits will remain a priority as these threats evolve. The situation underscores the importance of robust firmware security as a foundational component of overall system defense.