Why Firmware Vulnerabilities Are Rapidly Becoming the #1 Enterprise Threat
Firmware attacks are rapidly becoming one of the most dangerous cybersecurity risks for organizations in 2026. Unlike software vulnerabilities that can be patched quickly, firmware runs below the operating system, meaning exploitation often gives attackers deep, persistent, and stealthy access to critical systems. Recent alerts and vulnerability disclosures show a clear trend: threat actors are increasingly targeting firmware and edge‑device infrastructure, prompting urgent warnings from CISA.
Why Firmware Is the New Battleground
CISA repeatedly warns that attackers are exploiting unsupported, end‑of‑support firmware in edge devices including routers, firewalls, and network appliances. Because these devices often no longer receive firmware patches, any discovered vulnerability becomes a permanent foothold for attackers.
These edge‑device intrusions have surged, enabling threat actors to gain initial access, move laterally, disrupt operations, and exfiltrate sensitive data.
Let’s break down the most important firmware‑related CVEs added or highlighted in early 2026.
Vendor/Product: D‑Link DIR‑859 Router
Description: This widely exploited flaw allows OS command injection on a popular home and SMB router.
Impact: This widely exploited flaw allows OS command injection on a popular home and SMB router. Because router security depends on firmware integrity, exploits here allow threat actors to own the network perimeter.
CISA set a remediation deadline of May 21, 2026, highlighting the severity.
CVSS Score: 9.8 Critical
Source: CVE‑2024‑0769
Max Severity: Critical
CVSS Score: 9.8
Vendor/Product:JetKVM Firmware Tampering Vulnerability
Description: This is one of the most critical firmware‑supply‑chain vulnerabilities disclosed this year. JetKVM devices failed to verify the authenticity of downloaded firmware, allowing an attacker‑in‑the‑middle to substitute malicious firmware that would pass verification with a forged hash.
Impact: This exposes organizations to:
- Stealth backdoor implants
- Persistent compromise at the hardware‑access layer
- Supply‑chain poisoning
For KVM‑based datacenter systems, this represents a high‑impact risk.
Source: CVE‑2026‑32294
Max Severity: High
CVSS Score: 7.0
Vendor/Product: Ivanti Endpoint Manager Path Traversal
Description: Also added to the KEV catalog, this vulnerability is a critical stack‑based buffer overflow vulnerability affecting Ivanti Connect Secure appliances prior to version 22.7R2.6.
Impact: The flaw allows a remote, authenticated attacker with low privileges to achieve remote code execution, posing a high‑impact threat to confidentiality, integrity, and availability. The issue arises from improper memory handling (CWE‑121) and can be exploited over the network without user interaction. Ivanti has released a patch in version 22.7R2.6, and organizations are strongly urged to update immediately to mitigate the risk.
Source: CVE‑2025‑22467
Max Severity: High
CVSS Score: 8.8
Vendor/Product: Advantive VeraCore
Description: This vulnerability in Advantive VeraCore that allows unrestricted file uploads, enabling attackers to introduce malicious files directly into environments tied to warehouse and fulfillment operations.
Impact: Because VeraCore often integrates with systems that interface with hardware and embedded firmware, this flaw can create a dangerous attack path where a simple file upload becomes an entry point for deeper compromise.
Source: CVE‑2024‑57968
Max Severity: High
CVSS Score: 8.8
Vendor/Product: Advantive VeraCore
Description: This vulnerability affects Advantive VeraCore through an OS command injection flaw, giving an attacker the ability to execute arbitrary system-level commands.
Impact:This type of vulnerability is especially dangerous in logistics and supply‑chain environments where VeraCore interacts with automated devices, allowing attackers to potentially manipulate workflows, disrupt operations, or pivot toward systems governed by embedded firmware.
Source: CVE‑2025‑25181
Max Severity: High
CVSS Score: 7.5
Vendor/Product: SolarWinds Web Help Desk
Description: SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability.
Impact: This vulnerability is a deserialization vulnerability in SolarWinds Web Help Desk that allows attackers to run unauthorized commands through manipulated serialized objects. Because SolarWinds tools are commonly deployed across IT and OT environments, exploitation of this flaw can serve as a stepping‑stone into systems that rely on or manage embedded firmware, widening the scope and impact of a potential breach. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.
Source: CVE‑2025‑26399
Max Severity: Critical
CVSS Score: 9.8
The Bigger Picture: Firmware Exploits Are Increasing
CISA emphasizes that unsupported firmware is now a primary target for cyberespionage groups and ransomware operators. Edge‑device vulnerabilities saw an 8x increase in exploitation activity, according to recent reporting.
Organizations still running outdated firmware are exposed to:
- Persistent backdoors
- Administrative credential theft
- Network‑wide compromise
- Operational disruption
Because firmware is rarely monitored, vulnerabilities often remain undetected long after an attack begins.
What Organizations Should Do Now
- Inventory all firmware‑driven devices, especially routers, firewalls, VPN gateways, and IoT.
- Identify end‑of‑support devices using CISA’s guidance and remove them from service.
- Replace any device that no longer receives firmware patches—CISA states these should never remain on enterprise networks.
- Apply vendor firmware updates immediately and enable automatic update checks.
- Monitor CISA’s Known Exploited Vulnerabilities (KEV) catalog for new firmware-related entries.
Final Thoughts
Firmware vulnerabilities are no longer obscure technical issues—they’re frontline threats shaping the global cybersecurity landscape. With attackers increasingly exploiting outdated or unverified firmware, organizations must treat firmware security as a core component of their risk strategy.
