Six bugs in U-Boot bootloader open the door to hidden firmware attacks
Researchers found flaws in the open-source code that starts up millions of embedded devices, from routers to industrial kit. Fixes are out.

Key points
- Researchers disclosed six vulnerabilities in U-Boot, the open-source bootloader used to start up millions of embedded Linux devices worldwide.
- The flaws sit in code that parses filesystems during boot, letting an attacker with local access run their own code before the operating system loads.
- Successful exploitation can defeat Secure Boot protections and plant malware that survives reinstalls and factory resets.
- Patches landed in the U-Boot project's mainline source in late 2024, but device makers must ship their own firmware updates to customers.
- No active attacks have been reported so far, according to the researchers who found the bugs.
Security researchers have found six flaws in U-Boot, a piece of open-source software that starts up huge numbers of embedded devices. Think home routers, smart TVs, industrial controllers, car infotainment systems, and network gear in offices.
A bootloader is the very first program that runs when you power on a device. It sets things up and then hands control to the main operating system. Because it runs first, anything malicious hiding inside it runs first too.
The bugs, first reported by BleepingComputer, live in the parts of U-Boot that read filesystems during startup. Filesystems are the way data is organised on a disk or memory chip. Feed U-Boot a booby-trapped one, and the parsing code trips over itself in ways an attacker can steer.
What could an attacker actually do with this?
Run their own code on the device before its normal defences ever wake up. That is the short answer.
In practice, an attacker would need local access: a plugged-in USB stick, a swapped SD card, or a tampered storage chip. Once their code runs at the bootloader stage, they can bypass Secure Boot, which is the check that makes sure only trusted software loads at startup.
From there, they can install malware that lives below the operating system. Wiping the device does not remove it. A factory reset does not remove it. Only reflashing the firmware from a clean source does, and most owners never do that.
That is why bootloader bugs matter more than their obscure name suggests. They are the ideal hiding place for spyware and for attacks aimed at specific people or specific companies.
Which devices are affected?
Any device shipping a vulnerable version of U-Boot. That is a very long list, because U-Boot is the default choice for most Linux-based embedded hardware.
Routers, network storage boxes, smart home hubs, industrial gateways, point-of-sale terminals, and plenty of automotive systems all lean on it. The catch: each manufacturer maintains its own U-Boot build. A fix landing in the upstream project does not automatically reach the device sitting on your shelf.
The U-Boot maintainers have merged patches into the main source code. Individual vendors now have to pull those fixes, build new firmware, test it, and push it out. That process routinely takes months. For older or cheaper devices, it often never happens at all.
What should device owners do?
Check for firmware updates from the manufacturer of any embedded gear you rely on, especially routers and network storage. Install them when they appear.
For businesses running industrial or network equipment, ask vendors directly whether their U-Boot builds are patched. Get the answer in writing.
Physical access is the main attack path here, so keep devices in places where strangers cannot swap storage media or plug in unknown drives. That is dull advice, but it is the advice that matches how these bugs actually get used.
The researchers say they have seen no exploitation in the wild yet. Bootloader flaws tend to surface later, in targeted operations rather than mass campaigns, so the absence of noise today is not the same as safety tomorrow.



