← All insights
Guides

Missing Firmware and BIOS Updates: The Patches Everyone Forgets

Part of our guide: Vulnerability & remediation management

When most people think about patching, they picture operating-system and application updates — the ones that pop up and mostly install themselves. Underneath all of that sits a layer almost nobody thinks about: firmware, including the BIOS/UEFI on your computers and the embedded code running inside every firewall, router, printer, and connected device on your network. It’s software too, it has vulnerabilities too, and it is the patch that gets forgotten most consistently — which is exactly why attackers find it interesting.

What firmware is, and why it matters

Firmware is the low-level code baked into hardware that tells it how to operate, beneath and before the operating system loads. The BIOS or UEFI starts your computer; similar embedded software runs your network gear, security cameras, VoIP phones, building systems, and the long tail of shadow IT devices plugged in around the office.

Two things make firmware a distinct kind of risk:

  • It runs below your defences. Most security tools — antivirus, EDR, monitoring — operate at the operating-system level. A compromise underneath that level can be invisible to them.
  • It’s persistent. Because firmware lives in the hardware, a foothold there can survive an OS reinstall or a reboot, which is a level of persistence ordinary malware can’t match.

A vulnerability here isn’t more common than an application bug — it’s deeper. When one is exploited, it can be more powerful and far harder to detect or evict.

Why these updates get skipped

Firmware updates fall through the cracks for reasons that are entirely understandable:

  • They’re outside the routine. OS and app patching is automated and visible. Firmware updates are often manual, device-by-device, and pulled from each manufacturer separately — so they never make it into the regular patch cycle.
  • The devices don’t look like computers. A firewall, a printer, or an IP camera doesn’t register as something that needs patching the way a laptop does, even though each runs vulnerable software.
  • Updating carries risk. A firmware update can require downtime and, done wrong, can render a device unusable. That small but real risk makes teams cautious, and caution turns into years-old firmware.
  • Nobody owns it. Network appliances and embedded devices frequently have no clear patching owner, so updates that aren’t anyone’s job simply don’t happen.

The combined effect is a fleet of hardware — often including internet-facing appliances — running firmware with known, published vulnerabilities that were fixed long ago by the vendor but never applied.

The internet-facing angle

The most serious version of this problem lives at the edge of your network. Firewalls, VPN concentrators, and other internet-facing appliances run firmware, and when that firmware has an unpatched flaw, it’s exposed directly to anyone scanning the internet. Attackers actively hunt for vulnerable edge devices because exploiting one hands them a foothold at the perimeter — before any of your internal defences come into play. Several of the most damaging intrusion campaigns in recent years have started exactly this way.

How to manage it

Firmware deserves the same disciplined treatment as any other patch management — it just needs to be deliberately pulled into scope:

  1. Inventory the hardware. List the devices that run firmware — computers, network appliances, printers, cameras, IoT — because the ones you’ve forgotten are the ones running the oldest code.
  2. Prioritize the exposed and the critical. Internet-facing appliances come first, then the devices whose compromise would matter most. Don’t try to patch everything at once; close the dangerous gaps first.
  3. Build firmware into the patch cycle. Make checking for firmware and BIOS updates a scheduled task with an owner, not something that happens only when a device misbehaves.
  4. Test and plan downtime. Stage updates where you can and schedule the maintenance window, so the small risk of an update is managed rather than used as a reason to never patch.
  5. Watch for end-of-support hardware. A device the manufacturer no longer issues firmware for is the hardware equivalent of end-of-life software — a permanent hole, and a signal it’s time to replace it.

The bottom line

Firmware and BIOS updates are the patches everyone forgets, which is precisely what makes them valuable to attackers: deep access, lasting persistence, and a low chance of being noticed. The fix is to stop treating firmware as separate from patching and bring it into the same managed process — with an inventory, priorities, and an owner.

Pulling firmware and appliance updates into a single managed remediation process is part of our Vulnerability Management & Remediation service, so the layer beneath your operating system doesn’t stay the one nobody is watching. Book a free assessment and we’ll help you find the devices running on forgotten firmware.

Frequently asked questions

What is firmware, and why does it need updating?

Firmware is the low-level software built into hardware — the BIOS or UEFI on a computer, and the embedded code inside firewalls, routers, printers, IP cameras, and other devices. It runs beneath the operating system and controls how the hardware behaves. Like any software, firmware has vulnerabilities, and manufacturers release updates to fix them. Because firmware sits so low in the stack, a flaw there can be especially powerful for an attacker and especially hard to detect.

Why are firmware and BIOS updates so often missed?

They fall outside the normal patching routine. Operating-system and application updates are automated and visible; firmware updates are frequently manual, device-specific, and easy to overlook — especially on network appliances and IoT devices that nobody thinks of as 'computers.' Updating firmware can also require downtime or carries a small risk of bricking the device, so teams understandably hesitate. The result is hardware running years-old firmware with known, unpatched flaws.

How dangerous is an unpatched firmware vulnerability?

Potentially very. Because firmware runs below the operating system, a compromise there can persist through reinstalls and reboots, evade most security tools that operate at the OS level, and give an attacker deep control of the device. Internet-facing network appliances with vulnerable firmware are a particularly common and serious entry point, because exploiting them can hand an attacker a foothold right at the edge of your network.

Have a question about your security?

We're happy to help — book a no-obligation consultation with our team.

Talk to us