Operating System and Hardware Vulnerabilities

What the Exam Is Really Testing

In 2017, the WannaCry ransomware spread across 150 countries in a single day. The attack vector was an unpatched Windows vulnerability. Organizations that had applied a Microsoft patch released two months earlier were unaffected. Those that hadn't lost access to hundreds of thousands of systems.

That pattern — known flaw, available patch, no action — shows up constantly on the exam. But this module goes deeper than patching. It covers risks that live below the application layer entirely.

Identify risks that originate from the operating system, firmware, and hardware itself — and understand why these vulnerabilities are harder to detect and remediate than application-level flaws.

A compromised firmware implant persists across OS reinstalls. An unpatched OS exposes every application running on it. These are foundational risks, and the exam expects you to recognize them.

Operating System Vulnerabilities

Common OS Vulnerability Types

Operating systems are complex codebases with millions of lines of code. Every major OS has vulnerabilities discovered regularly. The key categories include:

• Privilege escalation flaws — Allow a standard user to gain administrator or root access
• Kernel vulnerabilities — Exploit the core of the OS, giving attackers the highest possible system access
• Service vulnerabilities — Flaws in OS services that run with elevated privileges (print spooler, remote desktop, SMB)
• Driver vulnerabilities — Device drivers run with kernel-level access, making driver flaws particularly dangerous

The exam does not test specific CVE numbers. It tests whether you understand the risk categories and know that OS-level flaws grant deeper access than application-level flaws.

Unpatched Systems

Unpatched systems are one of the most exploited vulnerability categories in real-world attacks and one of the most tested on Security+.

Why systems remain unpatched:

• Compatibility concerns with legacy applications
• Lack of patch management processes
• Fear of downtime in production environments
• Insufficient testing infrastructure for patch validation
• Systems that are forgotten, undocumented, or orphaned

The exam consistently tests this principle: known vulnerabilities with available patches represent the highest-priority remediation targets. An unpatched known vulnerability is more dangerous than an unknown vulnerability because attackers actively scan for and exploit known flaws.

Patch management best practices:

• Maintain a complete asset inventory so no systems are missed
• Test patches in a staging environment before production deployment
• Prioritize patches based on severity, exploitability, and asset criticality
• Automate patch deployment where possible
• Document exceptions and compensating controls for systems that cannot be patched

Hardware Vulnerabilities

Firmware Vulnerabilities

Firmware is the software embedded in hardware devices — routers, switches, IoT devices, storage controllers, and motherboard chips. Firmware vulnerabilities are particularly concerning because:

• Firmware runs before the OS loads, operating below OS-level security controls
• Firmware updates are less frequent and often require manual intervention
• Compromised firmware can persist across OS reinstalls and disk wipes
• Many organizations do not include firmware in their patch management programs

Attackers targeting firmware gain persistent, stealthy access that survives standard remediation procedures.

BIOS/UEFI Attacks

The BIOS (Basic Input/Output System) and its modern replacement UEFI (Unified Extensible Firmware Interface) initialize hardware and load the operating system. Compromising BIOS/UEFI gives an attacker control before any OS security mechanisms activate.

UEFI attack categories:

• Bootkit attacks — Modify the boot process to load malware before the OS
• Firmware rootkits — Embed malicious code in the UEFI firmware itself
• Secure Boot bypass — Circumvent the integrity verification that Secure Boot provides

Defenses include Secure Boot (verifying boot component signatures), TPM (Trusted Platform Module) for hardware-based integrity measurement, and firmware update verification through code signing.

End-of-Life Hardware

End-of-life (EOL) hardware no longer receives updates, patches, or support from the manufacturer. This creates permanent vulnerability exposure with no remediation path.

Risks of EOL hardware:

• No security patches for newly discovered vulnerabilities
• No firmware updates to address emerging threats
• No vendor support for troubleshooting or incident response
• Potential compliance violations for regulated industries

The exam tests whether you recognize EOL as a risk that requires either replacement or compensating controls such as network isolation, enhanced monitoring, and access restrictions.

Supply Chain Hardware Risks

Hardware supply chain risks involve compromised components being introduced during manufacturing, shipping, or distribution.

• Counterfeit components — Non-genuine parts that may contain backdoors or fail under load
• Tampered devices — Hardware modified during transit to include surveillance or access capabilities
• Pre-installed malware — Devices shipped with malicious software embedded in firmware or pre-loaded on storage

Mitigations include purchasing from authorized distributors, inspecting hardware for tampering, verifying firmware integrity on receipt, and maintaining a trusted supplier list.

Lack of Vendor Support

Beyond EOL hardware, vendor support issues create vulnerabilities when:

• The vendor goes out of business, leaving products without support
• The vendor stops supporting a specific product line while continuing others
• Support contracts expire and are not renewed
• The vendor is slow to release patches for discovered vulnerabilities

On the exam, lack of vendor support is treated as a risk management issue. The correct response involves assessing the risk, implementing compensating controls, and planning for replacement — not ignoring the problem or assuming the system is secure because it has been running without issues.

Pattern Recognition

When you encounter an OS or hardware vulnerability question, determine:

1. Is the vulnerability in the OS, firmware, or hardware itself?
2. Is a patch or update available?
3. Does the system still receive vendor support?
4. At what level does the vulnerability operate (application, OS, firmware, hardware)?

Pattern shortcuts:

• Known vulnerability + available patch not applied = unpatched system
• Malware survives OS reinstall = firmware compromise
• Device no longer receives updates = end-of-life
• Vulnerability below the OS layer = BIOS/UEFI or firmware
• Hardware from untrusted source = supply chain risk

Trap Patterns

Watch for these traps:

• Assuming OS reinstall fixes everything. Firmware-level compromises survive OS reinstalls. If the scenario mentions persistence after reimaging, think firmware.
• Treating EOL as low risk. The exam treats EOL hardware and software as high risk because no remediation path exists for future vulnerabilities.
• Prioritizing unknown threats over known unpatched vulnerabilities. The exam consistently prioritizes patching known vulnerabilities over hunting for unknown ones. Known exploitable flaws are the highest risk.
• Forgetting firmware in patch management. If a question asks about comprehensive patch management and one answer includes firmware updates, that is likely the most complete answer.

Scenario Practice

Question 1

A security team reimages a compromised server with a clean OS installation. Two weeks later, the same indicators of compromise appear. The team confirms no user interaction occurred that could explain reinfection through standard vectors.

What is the MOST likely explanation?

Question 2

A vulnerability scanner identifies 200 known vulnerabilities across the organization's servers. Of these, 50 have available patches, 30 affect end-of-life systems, and 120 are rated low severity. The security team has limited resources.

Which vulnerabilities should be prioritized FIRST?

Question 3

An organization discovers that several network switches purchased from a third-party reseller have firmware versions that do not match the manufacturer's official releases. The switches were significantly cheaper than authorized distributor pricing.

What is the PRIMARY concern?

Key Takeaway

The deeper a vulnerability sits in the stack, the harder it is to find and fix. OS flaws grant broader access than application flaws. Firmware compromises survive OS reinstalls. End-of-life systems have no remediation path at all. And supply chain tampering can introduce risk before a device is even powered on.

For the exam, remember the priority order: patch known vulnerabilities first, plan replacements for what cannot be patched, and isolate what you must keep running.