Why is firmware harder to secure than application software?

Firmware runs below the operating system, often without the security mitigations (ASLR, DEP, code signing) available at the OS layer. Update mechanisms are vendor-controlled, infrequent, and often require manual processes. Firmware runs in hardware-specific environments that make automated patch deployment impractical. And for many IoT and OT devices, firmware is unchangeable post-deployment without vendor involvement.

Definition

Firmware

Permanent embedded software that controls device hardware operation. Outdated firmware is a persistent vulnerability source in IoT, OT, and IoMT environments where patching is often impractical.

What is Firmware?

Permanent embedded software that controls device hardware operation. Outdated firmware is a persistent vulnerability source in IoT, OT, and IoMT environments where patching is often impractical.

Firmware is the permanent embedded software that controls the hardware operation of a device — stored in non-volatile memory (flash, ROM, EEPROM) and executed directly by the device's processor rather than loaded from an operating system. Every networked device has firmware: routers, switches, IoT sensors, PLCs, medical devices, cameras, and embedded controllers. Firmware vulnerabilities are some of the most persistent and difficult to remediate in enterprise environments.

Unlike application software running on a general-purpose OS, firmware cannot be updated through automated patch management pipelines. Firmware updates typically require: vendor-supplied update packages (not available for EoL devices), specific update procedures that may require physical access or maintenance windows, validation testing (especially for FDA-regulated medical devices), and operational downtime. In many OT environments, firmware updates require vendor involvement, engineering validation, and planned shutdowns that may happen once every several years.

The persistence of firmware vulnerabilities is compounded by the discovery pattern: vulnerabilities in IoT and OT firmware are being actively researched and disclosed at increasing rates, but the devices affected often have update mechanisms that are effectively inaccessible in production. This creates an expanding population of devices with known, unpatched firmware vulnerabilities where the only risk management options are compensating controls.

Key Facts

Over 80% of IoT devices have at least one known vulnerability in their firmware
Firmware updates for medical devices require FDA validation — average time to validated patch is 6–18 months
EoL firmware devices will never receive patches regardless of vulnerability severity
Firmware-resident malware (bootkits and rootkits) survives OS reinstallation and factory resets on some device types

How ORDR Addresses Firmware

ORDR identifies the firmware version of every discovered device and correlates it against CVE data to identify firmware-specific vulnerabilities. For devices that cannot be patched, ORDR generates compensating control recommendations and can automatically enforce network isolation policies to limit exposure. Firmware version tracking also feeds asset lifecycle management — devices on EoL firmware are flagged for replacement planning.

See ORDR in action

Frequently Asked Questions

Back to Glossary

See Firmware in practice.

ORDR gives security teams complete visibility into every connected asset—and the intelligence to act on what matters most.

REQUEST A DEMO Explore Resources