The proliferation of Internet of Things (IoT) devices has introduced significant security challenges, primarily due to the opacity of firmware components and the complexity of supply chain dependencies. IoT firmware frequently relies on outdated, third-party libraries embedded within monolithic binary blobs, making vulnerability management difficult. While Software Bill of Materials (SBOM) standards have matured, generating actionable intelligence from raw firmware dumps remains a manual and error-prone process. This paper presents a lightweight, automated pipeline designed to extract file systems from Linux-based IoT firmware, generate a comprehensive SBOM, map identified components to known vulnerabilities, and apply a multi-factor triage scoring model. The proposed system focuses on risk prioritization by integrating signals from the Common Vulnerability Scoring System (CVSS), Exploit Prediction Scoring System (EPSS), and the CISA Known Exploited Vulnerabilities (KEV) catalog. Unlike conventional scanners that produce high volumes of uncontextualized alerts, this approach emphasizes triage by calculating a localized risk score for each finding. We describe the architecture, the normalization challenges of embedded Linux, and a scoring methodology intended to reduce alert fatigue. The study outlines a planned evaluation strategy to validate the extraction success rate and triage efficacy using a dataset of public vendor firmware, offering a reproducibility framework for future research in firmware security.

翻译：物联网（IoT）设备的激增带来了严峻的安全挑战，其主要原因在于固件组件的非透明性及供应链依赖的复杂性。物联网固件通常依赖于嵌入在单体二进制块中的过时第三方库，这使得漏洞管理变得困难。尽管软件物料清单（SBOM）标准已日趋成熟，但从原始固件转储中生成可操作情报仍是一个手动且易出错的过程。本文提出了一种轻量级自动化流水线，旨在从基于Linux的物联网固件中提取文件系统，生成全面的SBOM，将识别出的组件映射至已知漏洞，并应用多因素分级评分模型。该系统通过整合来自通用漏洞评分系统（CVSS）、漏洞利用预测评分系统（EPSS）以及CISA已知已利用漏洞（KEV）目录的信号，聚焦于风险优先级排序。与产生大量无上下文警报的传统扫描器不同，本方法通过为每个发现项计算本地化风险评分来强化分级处理。我们描述了系统架构、嵌入式Linux的标准化挑战，以及旨在降低警报疲劳的评分方法。本研究概述了计划采用的评估策略，旨在利用公开厂商固件数据集验证提取成功率和分级效能，为未来固件安全研究提供一个可复现的框架。