securityFebruary 10, 2026· 7 min read

Firmware Security Vulnerabilities: A 2025 Retrospective

The year 2025 was a stark reminder that firmware is one of the most under-defended layers of the technology stack. While operating systems and applications receive regular attention from security teams and automated update mechanisms, firmware often sits unpatched for months or years. Here is a look at the most significant firmware security events of 2025 and the lessons they carry into 2026.

Router Vulnerabilities Dominated the Headlines

Routers continued to be the most targeted device category for firmware exploits. In early 2025, a critical vulnerability affecting multiple Netgear router models (CVE-2025-XXXX series) allowed unauthenticated remote code execution through the WAN interface. The attack required no user interaction. Simply having the router connected to the internet was sufficient for exploitation. The vulnerability was actively exploited in the wild for weeks before a patch was available.

TP-Link faced a similar situation with a buffer overflow vulnerability in its UPnP implementation that affected over 30 models. The delayed response highlighted a recurring problem: even after a patch is published, the majority of affected devices remain unpatched because their owners never check for updates.

UEFI/BIOS Attacks Went Mainstream

UEFI firmware attacks moved from academic research to practical exploitation in 2025. The discovery of persistent implants that survive operating system reinstallation demonstrated that BIOS-level compromises are not theoretical. Multiple incidents involved supply chain attacks where UEFI firmware was modified before reaching end users.

The response from motherboard manufacturers was mixed. Intel's Boot Guard and AMD's Platform Secure Boot provide hardware-rooted verification of UEFI firmware, but these features are only effective if the firmware they verify is itself patched against known vulnerabilities. Several BIOS updates throughout 2025 addressed weaknesses in the Secure Boot chain that could be leveraged to bypass these protections.

SSD Controller Vulnerabilities

A less publicized but technically significant set of vulnerabilities affected SSD controllers from multiple manufacturers. Researchers demonstrated that certain NVMe SSDs could be exploited through crafted commands sent over the PCIe bus, potentially allowing a compromised operating system to modify the SSD's firmware. Once the SSD firmware is compromised, it can manipulate data at rest, evade forensic analysis, and persist through drive formatting.

These vulnerabilities are particularly concerning because SSD firmware is rarely updated by consumers and there is no standardized mechanism for verifying its integrity. Unlike UEFI, there is no equivalent of Secure Boot for storage devices.

Camera and IoT Firmware

IP cameras continued to be a soft target. Multiple families of malware specifically targeted unpatched camera firmware to recruit devices into botnets. The Mirai variant known as "InfectedSloth" compromised an estimated 400,000 cameras worldwide during 2025, leveraging default credentials and known firmware vulnerabilities that had patches available for over a year.

The IoT firmware problem is structural. Many devices use commodity System-on-Chip (SoC) platforms with vendor-provided firmware SDKs that are rarely updated. When a vulnerability is discovered in the underlying SDK, every device built on that platform is affected, and the update chain from SoC vendor to device manufacturer to end user is long and unreliable.

Monitor and Display Firmware

While less common, monitor firmware vulnerabilities deserve mention. Research presented at security conferences in 2025 showed that certain monitor models with USB-C hub functionality could be exploited through their firmware to act as a man-in-the-middle for USB data. This attack vector is novel and unlikely to be defended against by traditional endpoint security tools.

Key Takeaways for 2026

Internet-facing devices are the highest priority. Routers and cameras should be updated within days of a security patch release, not weeks or months.
BIOS updates matter for enterprise security. If your threat model includes nation-state or advanced persistent threats, BIOS firmware must be part of your patching strategy.
SSD firmware is an emerging concern. While exploitation is still rare, the potential impact is severe enough to justify monitoring.
Supply chain verification. Verify that firmware on newly purchased devices matches the manufacturer's published versions.
Monitoring is not optional. The gap between patch availability and patch application is where attackers operate. Reducing that gap is the single most effective defense.

View All Articles

Router Vulnerabilities Dominated the Headlines

UEFI/BIOS Attacks Went Mainstream

SSD Controller Vulnerabilities

Camera and IoT Firmware

Monitor and Display Firmware

Key Takeaways for 2026

Internet-facing devices are the highest priority. Routers and cameras should be updated within days of a security patch release, not weeks or months.

BIOS updates matter for enterprise security. If your threat model includes nation-state or advanced persistent threats, BIOS firmware must be part of your patching strategy.

SSD firmware is an emerging concern. While exploitation is still rare, the potential impact is severe enough to justify monitoring.

Supply chain verification. Verify that firmware on newly purchased devices matches the manufacturer's published versions.

Monitoring is not optional. The gap between patch availability and patch application is where attackers operate. Reducing that gap is the single most effective defense.