{"id":9213,"date":"2025-12-15T10:04:41","date_gmt":"2025-12-15T10:04:41","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/12\/15\/cisa-releases-guidance-for-managing-uefi-secure-boot-on-enterprise-devices\/"},"modified":"2025-12-15T10:04:41","modified_gmt":"2025-12-15T10:04:41","slug":"cisa-releases-guidance-for-managing-uefi-secure-boot-on-enterprise-devices","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/12\/15\/cisa-releases-guidance-for-managing-uefi-secure-boot-on-enterprise-devices\/","title":{"rendered":"CISA Releases Guidance for Managing UEFI Secure Boot on Enterprise Devices"},"content":{"rendered":"

CISA Releases Guidance for Managing UEFI Secure Boot on Enterprise Devices
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the National Security Agency (NSA), has issued new guidance urging enterprises to verify and manage UEFI Secure Boot configurations to counter bootkit threats. <\/p>\n

Released in December 2025 as a Cybersecurity Information Sheet (CSI), the document addresses vulnerabilities like PKFail, BlackLotus, and BootHole that bypass boot-time protections. Enterprises neglecting these checks face heightened risks from persistent firmware malware.\u200b<\/p>\n

UEFI Secure Boot<\/a>, introduced in 2006, enforces boot policies using certificates and hashes in four variables: Platform Key (PK), Key Exchange Key (KEK), allowed database (DB), and revocation database (DBX). <\/p>\n

It prevents unsigned boot binaries, mitigating supply chain risks during the transition from expiring 2011 Microsoft certificates to 2023 versions. While default settings on most devices block unknown malware, misconfigurations often from test keys or disabled modes, expose systems.<\/p>\n

Highlighted Vulnerabilities<\/strong><\/h2>\n

PKFail involved devices shipped with untrusted test certificates, enabling Secure Boot bypasses. BlackLotus (CVE-2023-24932<\/a>) exploited bootloader flaws to disable enforcement despite status indicators showing it was active.<\/p>\n

BootHole flaws in GRUB allowed arbitrary execution via malformed configs, overwhelming DBX memory on older hardware. These incidents underscore the need for routine audits beyond TPM or BitLocker reliance.<\/p>\n

Administrators should first confirm enforcement: Windows users run\u00a0Confirm-SecureBootUEFI<\/em>\u00a0in PowerShell (True indicates active); Linux users use\u00a0sudo mokutil \u2013sb-state<\/em>.<\/span><\/p>\n

Export variables with Get-SecureBootUEFI<\/em> or efi-readvar<\/em>, then analyze using NSA\u2019s GitHub tools for certs\/hashes. Expected setups feature system vendor PK\/KEK, Microsoft 2011\/2023 CAs in DB, and DBX hashes no test keys or permissive modes.<\/p>\n

\n\n\n\n\n\n\n\n\n
Component<\/th>\nExpected Configuration <\/th>\nImproper Indicators <\/th>\n<\/tr>\n<\/thead>\n
PK<\/td>\nSystem vendor certificate<\/td>\nAbsent or test keys<\/td>\n<\/tr>\n
KEK<\/td>\nVendor + Microsoft 2011\/2023<\/td>\nMissing Microsoft KEKs<\/td>\n<\/tr>\n
DB<\/td>\nMicrosoft CAs + vendor<\/td>\nEmpty or misplaced certs<\/td>\n<\/tr>\n
DBX<\/td>\nRevocation hashes<\/td>\nBoot hashes or duplicates<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Restore via UEFI setup to factory defaults or apply firmware\/OS updates delivering capsules. For enterprises, integrate checks into procurement testing and SCRM processes. <\/p>\n

NSA advises<\/a> customization over disabling for stricter controls, with tools on GitHub. The guidance stresses full auditing modes and avoiding the Compatibility Support Module (CSM).<\/p>\n

This CSI equips IT teams to safeguard boot integrity amid evolving threats. Download the full PDF from official sources for commands and diagrams\u200b.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post CISA Releases Guidance for Managing UEFI Secure Boot on Enterprise Devices<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Abinaya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

CISA Releases Guidance for Managing UEFI Secure Boot on Enterprise Devices The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the National Security Agency (NSA), has issued new guidance urging enterprises to verify and manage UEFI Secure Boot configurations to counter bootkit threats. Released in December 2025 as a Cybersecurity Information Sheet (CSI), […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63],"tags":[130],"class_list":["post-9213","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9213"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=9213"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9213\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=9213"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=9213"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=9213"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}