Microsoft addressed a serious security feature bypass in Windows Secure Boot with the June 2026 Patch Tuesday updates. Tracked as CVE-2026-45654, the vulnerability carries an Important severity rating and impacts Windows 11 24H2, 25H2, 26H1, and Windows Server 2025. Patches rolled out via Windows Update on June 9, 2026, and users are strongly advised to install them immediately.

What is Secure Boot?

Secure Boot is a foundational security feature built into UEFI firmware that ensures only trusted, digitally signed code runs during the system startup. It validates each component of the boot chain—from the UEFI drivers to the OS loader—against certificates stored in the firmware. This prevents unauthorized code like bootkits and rootkits from hijacking the boot process.

When Secure Boot is enforced, any software lacking a valid signature from a trusted authority is blocked. This creates a hardware-rooted trust boundary that modern Windows security features rely on.

The Role of Virtual Secure Mode (VSM) and Credential Guard

Windows leverages Secure Boot to establish Virtual Secure Mode, a hypervisor-protected execution environment that isolates sensitive operations from the main OS. VSM is the backbone of Credential Guard, which safeguards domain credentials and secrets by storing them in a virtualized container inaccessible even to kernel-mode code.

A Secure Boot bypass breaks this trust chain. If an attacker can execute unsigned code during boot, they can potentially tamper with the hypervisor or extract secrets protected by VSM. CVE-2026-45654, as a security feature bypass, threatens this entire integrity model.

What We Know About CVE-2026-45654

Microsoft’s advisory is light on technical details, consistent with its responsible disclosure practices. The vulnerability is described as a \"Secure Boot security feature bypass\" that could allow an attacker to circumvent Secure Boot protections and potentially access Virtual Secure Mode secrets. Exploitation would likely require local access or sophisticated remote delivery mechanisms.

With an Important rating, Microsoft assesses it as a significant threat but not wormable. However, the boot-level nature of the flaw means traditional security tools may not detect exploitation. The fix updates the affected boot components to strengthen the trust verification.

Affected Platforms

The following Windows versions receive patches for CVE-2026-45654:
- Windows 11, versions 24H2, 25H2, and 26H1
- Windows Server 2025

Notably, older Windows 11 releases (21H2, 22H2, 23H2) and earlier server editions are not listed, suggesting the vulnerability was introduced in the newer codebase. Systems running Windows 10 or Windows Server 2022 are not affected.

How to Obtain the Fix

The update is distributed through standard channels:
- Windows Update: Settings > Windows Update > Check for updates. The patch will appear as a cumulative update (KB article not disclosed in the initial advisory).
- Microsoft Update Catalog: The standalone package can be downloaded for manual installation or deployment.
- Enterprise management tools: WSUS, Microsoft Endpoint Configuration Manager, and Windows Update for Business will sync the patch automatically.

Restart is required after installation, as the fix modifies boot-critical files.

Historical Context: Secure Boot Bypasses Are Not New

CVE-2026-45654 joins a growing list of Secure Boot vulnerabilities exploited in the wild. The most infamous, BlackLotus bootkit, took advantage of CVE-2022-21894—a bypass that allowed attackers to load unverified EFI drivers. Microsoft has since revoked multiple certificates and issued DBX updates to block vulnerable bootloaders, but new variants continue to surface.

In 2025, several APT groups chained Secure Boot flaws with other exploits to deploy persistent firmware implants. The persistent threat underscores why patches like this must be prioritized: a compromised boot process gives attackers near-complete control over the system.

Why This Matters for Enterprises

For organizations using Credential Guard and VSM to protect privileged accounts, a Secure Boot bypass is a critical concern. Such an attack could:
- Extract domain controller credentials from memory
- Bypass device health attestation in Zero-Trust environments
- Maintain persistence even after OS reinstallation

IT admins should verify that patches are deployed across all affected endpoints and monitor for anomalies in boot logs. Azure Attestation and Microsoft Defender for Endpoint’s firmware protections can provide additional defense layers.

Recommendations for Home Users

Most home users will receive the fix automatically through Windows Update. Ensure automatic updates are enabled and restart your PC when prompted. For systems where Secure Boot is disabled in the BIOS (e.g., for custom OS installations), enable it if possible to regain the protection, though the patch does not require Secure Boot to be active.

Looking Forward

Microsoft typically follows its Coordinated Vulnerability Disclosure (CVD) timeline, meaning deeper technical information may emerge in the coming weeks via security conferences or the MSRC blog. Security researchers will undoubtedly dissect the patch to understand the bypass mechanics.

Meanwhile, this incident reinforces the industry-wide challenge of securing the boot chain. UEFI firmware complexities, the proliferation of signed third-party bootloaders, and supply chain risks continue to expose gaps. Microsoft’s Pluton security processor and its efforts to move attestation to the cloud are steps in the right direction, but legacy code and configurations will remain attack vectors for years.

Apply the latest cumulative update today. This is not a patch to postpone.