Endpoints are the gateways to your organization’s most sensitive data. But they’re often left vulnerable by misconfigurations and overlooked best practices. These vulnerabilities create significant risk for enterprises, leading to security breaches, malware infections, and compliance violations.
At FirmGuard, we’ve conducted thousands of SecureCheck Audits to help organizations identify UEFI BIOS vulnerabilities in their endpoints. And our findings often uncover critical misconfigurations that, if left unaddressed, leave enterprises exposed at the firmware level. In this blog, we’ll focus on 3 of the most pressing UEFI BIOS security issues we uncovered during these audits:
- Up to 15% of endpoints were in legacy BIOS mode
- Up to 20% of endpoints had Secure Boot disabled
- Up to 25% of endpoints had outdated firmware
Let’s break down what these findings mean, their potential consequences, and why they demand immediate attention.
Key finding #1: Up to 15% of endpoints were in legacy BIOS mode
Legacy BIOS is an outdated firmware interface used to initialize hardware during system startup. While it was the standard for many decades, modern systems have largely transitioned to UEFI, which offers critical improvements in security and functionality. UEFI provides a more robust interface between the operating system and the firmware, enabling features like Secure Boot. Secure Boot ensures the integrity of the OS Boot Loader by verifying its authenticity before execution, preventing unauthorized or malicious code from loading during startup. However, many organizations have yet to transition their endpoints to UEFI, leaving critical systems vulnerable to modern security threats.
Consequences of Legacy BIOS Mode
Lack of Secure Boot:
Systems running legacy BIOS cannot leverage Secure Boot, a feature designed to ensure that only signed, trusted software can execute during the boot process. This leaves endpoints exposed to rootkits and bootkits—malware that embeds itself in the bootloader to evade detection.
Incompatibility with Advanced Security Measures:
Modern security tools, such as hardware-based encryption and secure credential storage, rely on UEFI features. Endpoints running legacy BIOS may be incompatible with these defenses, leaving them more vulnerable.
Operational Inefficiencies:
Legacy BIOS can create hardware and software compatibility issues. These inefficiencies increase management overhead and complicate endpoint standardization efforts.
Insecure Firmware Service Interfaces:
Legacy BIOS has insecure firmware service interfaces, which significantly increases exploitation risks. Weak security in interrupt vector tables and handlers allows attackers to manipulate firmware or inject malicious code, leaving systems vulnerable.
Real-World Attack: The Saudi Aramco Hack
The 2012 Saudi Aramco hack, one of the first BIOS firmware attacks, showcased the devastating risks of unsecured firmware. Using the Shamoon malware, attackers ‘bricked’ 35,000 machines, making them completely inoperable. As the systems were running in legacy BIOS mode, this even allowed the malware to disable core functionalities and evade detection, causing massive operational and financial damage.
Key finding #2: Up to 20% of endpoints had Secure Boot disabled
Secure Boot ensures that only an authentic version of the operating system (e.g., Windows) is launched, preventing hackers from executing rogue versions of the OS and gaining full control over an endpoint. It ensures that only trusted, signed software components can run during startup, effectively blocking malicious or unauthorized code. When Secure Boot is disabled, attackers have a much easier path to exploit vulnerabilities in the boot process. Additionally, disabling Secure Boot makes it easier for an attacker to introduce a malicious device loaded with attack code, which the firmware could mistakenly execute as “trusted.”
Consequences of disabled Secure Boot
Increased Attack Surface:
Without Secure Boot, attackers can inject unsigned or malicious code into the boot sequence, enabling the installation of rootkits, bootkits, and other stealthy malware.Risk of Persistent Malware:
Malware that targets the boot process can persist across system reboots and OS reinstalls, making it exceptionally difficult to detect and remove.Regulatory Compliance Risks:
Many cybersecurity frameworks and regulations, including NIST, mandate Secure Boot as a fundamental endpoint hardening measure. Organizations with disabled Secure Boot may fall out of compliance, exposing themselves to both fines and reputational damage.
Real-World Risk: Exploiting Disabled Secure Boot
When Secure Boot is disabled, hackers can exploit this vulnerability to achieve complete control over the endpoint. By disabling Secure Boot or taking advantage of systems where it is already turned off, hackers can launch a rogue operating system that bypasses security controls. This rogue OS enables hackers to embed themselves deeply into the system, granting them persistent access and the ability to execute arbitrary actions without detection. Such exploits not only survive system reboots and OS reinstalls but also evade traditional security measures, significantly increasing the risk to organizational assets.
Key finding #3: Up to 25% of endpoints had outdated firmware
As mentioned above, the BIOS (or its modern counterpart, UEFI) is responsible for testing and initializing hardware, launching the OS and facilitating ongoing communication between the OS and hardware components. BIOS updates often include critical security patches, performance improvements, and compatibility enhancements.
Yet, our SecureCheck audits reveal that up to 25% of endpoints are running an outdated BIOS version—which presents both a significant and unnecessary risk.
Consequences of Outdated BIOS Firmware
Unpatched Vulnerabilities:
Outdated BIOS versions frequently contain known vulnerabilities that attackers can exploit to bypass OS-level protections. These vulnerabilities may allow attackers to escalate privileges, execute malicious code, or compromise entire systems.
Performance Degradation:
Outdated BIOS firmware can lead to hardware instability, system crashes, and degraded performance—negatively impacting productivity and user experience.
Vendor Support Issues:
Many hardware vendors require up-to-date BIOS firmware to maintain warranty coverage and access to support services. Failing to update BIOS can void warranties and complicate hardware management.
Real-World Risk
There are countless real-world attacks targeting out-of-date firmware, with notable examples being BlackLotus, PKFail, and TrickBoot. Attacks such as these are particularly insidious, as they operate beneath the OS, evading traditional detection mechanisms and OS-reinstallations. Full details on these, as well as many more, can be found on our security notifications page. The only way to prevent such attacks is to update your firmware to the latest version.
So... What are the implications of these findings?
While each of these issues is concerning on its own, their combined presence creates a perfect storm for hackers. In essence, a legacy BIOS endpoint with Secure Boot disabled and outdated firmware creates an ideal target for hackers by combining weak security features, unverified boot processes, and known vulnerabilities. This allows attackers to exploit multiple vectors, persist undetected, and gain complete control over the system.
For IT and security teams, these findings mean you must be proactive when it comes to implementing endpoint security measures. Regular audits, such as SecureCheck, are essential for identifying and addressing these risks before they lead to breaches. Because it’s not a matter of if, but when.
