Hidden Risks in Wireless Firmware

Pixie Dust, first disclosed in 2014, continues to expose consumer and small-business networking devices in 2025. Across six major vendors, we identified 24 devices still vulnerable, with average patch delays of nearly 10 years. Many products remain actively supported yet unpatched, underscoring systemic risks in firmware supply chains.

Key Findings:

• Vulnerable firmware releases as late as 2025

• Average patch lag: 9.6 years

• Only 4 of 24 devices were ever patched

• 13 devices remain supported but vulnerable

Why This Report Matters

Firmware supply chains don’t just inherit vulnerabilities — they preserve them. The persistence of Pixie Dust reveals systemic weaknesses that impact both OEMs and enterprises:

• Vendors lack transparent advisories and effective update mechanisms.

• Enterprises remain exposed to silent, firmware-level exploit paths.

• Supply chains continue to recycle insecure defaults, repeating the same risks.

Why NetRise Conducted This Analysis

From Anecdote to Evidence

A hobbyist rediscovering Pixie Dust in 2023 showed this wasn’t a dead exploit. With NetRise’s firmware repositories and binary analysis tooling, that one-off observation became a defensible dataset spanning multiple vendors and nearly a decade of releases.

Binary analysis makes these legacy flaws visible when vendor disclosures and package manifests do not.

Key Report Insights

What You’ll Learn in This Report:

• SBOMs alone cannot capture vendored, statically linked, or legacy modules.

• Vendors shipped vulnerable firmware years after public disclosure.

• End-of-life devices never received fixes, leaving long-tail exposure in the field.

• Regulatory and operational risk is amplified by poor patch practices.