Missing Firmware and BIOS Updates: The Patches Everyone Forgets
Part of our guide: Vulnerability & remediation management
When most people think about patching, they picture operating-system and application updates — the ones that pop up and mostly install themselves. Underneath all of that sits a layer almost nobody thinks about: firmware, including the BIOS/UEFI on your computers and the embedded code running inside every firewall, router, printer, and connected device on your network. It’s software too, it has vulnerabilities too, and it is the patch that gets forgotten most consistently — which is exactly why attackers find it interesting.
What firmware is, and why it matters
Firmware is the low-level code baked into hardware that tells it how to operate, beneath and before the operating system loads. The BIOS or UEFI starts your computer; similar embedded software runs your network gear, security cameras, VoIP phones, building systems, and the long tail of shadow IT devices plugged in around the office.
Two things make firmware a distinct kind of risk:
- It runs below your defences. Most security tools — antivirus, EDR, monitoring — operate at the operating-system level. A compromise underneath that level can be invisible to them.
- It’s persistent. Because firmware lives in the hardware, a foothold there can survive an OS reinstall or a reboot, which is a level of persistence ordinary malware can’t match.
A vulnerability here isn’t more common than an application bug — it’s deeper. When one is exploited, it can be more powerful and far harder to detect or evict.
Why these updates get skipped
Firmware updates fall through the cracks for reasons that are entirely understandable:
- They’re outside the routine. OS and app patching is automated and visible. Firmware updates are often manual, device-by-device, and pulled from each manufacturer separately — so they never make it into the regular patch cycle.
- The devices don’t look like computers. A firewall, a printer, or an IP camera doesn’t register as something that needs patching the way a laptop does, even though each runs vulnerable software.
- Updating carries risk. A firmware update can require downtime and, done wrong, can render a device unusable. That small but real risk makes teams cautious, and caution turns into years-old firmware.
- Nobody owns it. Network appliances and embedded devices frequently have no clear patching owner, so updates that aren’t anyone’s job simply don’t happen.
The combined effect is a fleet of hardware — often including internet-facing appliances — running firmware with known, published vulnerabilities that were fixed long ago by the vendor but never applied.
The internet-facing angle
The most serious version of this problem lives at the edge of your network. Firewalls, VPN concentrators, and other internet-facing appliances run firmware, and when that firmware has an unpatched flaw, it’s exposed directly to anyone scanning the internet. Attackers actively hunt for vulnerable edge devices because exploiting one hands them a foothold at the perimeter — before any of your internal defences come into play. Several of the most damaging intrusion campaigns in recent years have started exactly this way.
How to manage it
Firmware deserves the same disciplined treatment as any other patch management — it just needs to be deliberately pulled into scope:
- Inventory the hardware. List the devices that run firmware — computers, network appliances, printers, cameras, IoT — because the ones you’ve forgotten are the ones running the oldest code.
- Prioritize the exposed and the critical. Internet-facing appliances come first, then the devices whose compromise would matter most. Don’t try to patch everything at once; close the dangerous gaps first.
- Build firmware into the patch cycle. Make checking for firmware and BIOS updates a scheduled task with an owner, not something that happens only when a device misbehaves.
- Test and plan downtime. Stage updates where you can and schedule the maintenance window, so the small risk of an update is managed rather than used as a reason to never patch.
- Watch for end-of-support hardware. A device the manufacturer no longer issues firmware for is the hardware equivalent of end-of-life software — a permanent hole, and a signal it’s time to replace it.
The bottom line
Firmware and BIOS updates are the patches everyone forgets, which is precisely what makes them valuable to attackers: deep access, lasting persistence, and a low chance of being noticed. The fix is to stop treating firmware as separate from patching and bring it into the same managed process — with an inventory, priorities, and an owner.
Pulling firmware and appliance updates into a single managed remediation process is part of our Vulnerability Management & Remediation service, so the layer beneath your operating system doesn’t stay the one nobody is watching. Book a free assessment and we’ll help you find the devices running on forgotten firmware.