January 7, 2026—Software based on the Unified Extensible Firmware Interface (UEFI) standard makes up the firmware of most modern desktop computers and servers. This software is largely invisible to users, critical to basic computer functionality, and sparsely documented, making it an inviting target for attackers. To make UEFI and other low-level, opaque software more accessible to vulnerability researchers, the Software Engineering Institute (SEI) CERT Division recently released the CERT UEFI Parser. The open source tool gives security researchers a flexible, transparent way to inspect and analyze UEFI firmware.

Hidden Risk

The number of reported UEFI vulnerabilities has recently shot up, according to vulnerability notes from the SEI’s CERT Coordination Center (CERT/CC), which investigates software vulnerabilities and coordinates response. There were seven such vulnerability notes in 2025—by far the most of any year—the last published December 17. While the numbers may be small compared to vulnerabilities in other software, the risks can be far greater.

UEFI-based BIOS ROMs, installed as part of firmware, are crucial for initializing computer hardware at startup and managing the interactions between hardware and the operating system (OS). Yet they are sealed off to most users, administrators, security tools, and the OS itself. Attackers who can successfully exploit UEFI software vulnerabilities can establish persistence and evade detection.

The opaque anatomy and workings of UEFI software add to the risk. When widespread firmware vulnerabilities emerge, such as the one targeted by the BlackLotus malware, independent security analysis becomes critical for assessing the presence and scope of associated risks. The current firmware ecosystem has evolved around proprietary storage and compression techniques, which can limit transparency and make independent security analysis challenging.

An X-Ray for Firmware Vulnerability Research

Vendors ship BIOS ROMs as a single firmware image, but they contain many files, executables, images, and other components. Dissecting a ROM, finding particular components, and detecting known vulnerabilities is difficult enough. The challenge is exponentially harder when looking across potentially hundreds of computer models from a single vendor, each with different firmware ROMs.

“These are very supply-chain-intensive systems with very little transparency of how they’re put together, packaged, and distributed,” said SEI vulnerability analysis team lead Vijay Sarvepalli. “The problem with the UEFI architecture is that once you find a vulnerability, it’s very difficult to understand its ecosystem impact and get visibility into it unless you can walk through these unique system setups.”

One Tool for the Most Comprehensive Inspection

Other UEFI parsers exist, but they are scattered across the Internet, and most focus on a particular type of firmware image or a specific firmware component. Researchers have had to guess which tools to use and how to look for specific shared pieces of software across firmware images and their embedded components. SEI research found that even the most comprehensive tools look only for components compliant with published UEFI specifications, not any of the standard’s undocumented features.

“What we were supposed to be looking at wasn't good enough,” said Cory Cohen, a reverse engineer in the CERT Division and the parser project lead. “From the ground up, we wrote the CERT UEFI Parser without being constrained to the things that were well documented. We wanted to extend this architecture to inspect arbitrary components, including the proprietary ones.”

The CERT UEFI Parser can currently recover around 600 data structures, enabling researchers to avoid trial and error and start their search with a treelike map of an entire firmware ROM or other image bundle, like the ones used in virtual environments.

Seeking Community Input

Cohen acknowledged that while the CERT tool is the most encompassing parser of its kind, many dark UEFI corners remain. To enhance UEFI security analysis, security researchers are invited to use the tool, build on it, and report unsupported elements.

“The architecture of the tool makes it easy to add new data structures,” Cohen said. “There could be a lot of really great additions from the community.” Those interested can submit issues or suggest improvements through pull requests on the project’s GitHub site.

Applications for the parser extend beyond vulnerability research to security operations, digital forensics, and proactive firmware security hardening. Government, national security, and defense organizations have expressed interest in the parser to build their capability to identify compromised UEFI firmware across their information systems.

“Firmware exploits against sensitive environments give attackers two major advantages: invisibility and persistence,” Sarvepalli said. “Our goal is to combat both by making firmware far more inspectable at scale.”

“The UEFI space has not been getting enough attention,” said Cohen. “The bigger purpose of this tool is to open the discussion about vulnerabilities in this kind of software.”

Access the CERT UEFI Parser on the SEI’s GitHub or Python Package Index project. Learn more about Sarvepalli’s research on UEFI security in the SEI Digital Library and the SEI Blog.