JFrog's security research team identified a critical vulnerability, CVE-2020-25860, in the open-source firmware update framework RAUC, which has a CVSSv3 score of 8.8. This vulnerability, present in all versions of RAUC until 1.5, is a Time-of-Check-Time-of-Use issue that allows attackers to install arbitrary firmware updates by exploiting the gap between the verification and installation processes. While the extent of affected devices is challenging to estimate due to RAUC's open-source nature, Pengutronix, the vendor, estimates up to 100,000 devices could be impacted. The vulnerability can be exploited locally and, under certain conditions, remotely, although no in-field exploitation has been reported. RAUC, designed for secure and fail-safe updates in Linux-based embedded devices, has been patched in version 1.5, and users are advised to upgrade or implement mitigation strategies if upgrading is not feasible. The disclosure was handled responsibly, with JFrog coordinating with Pengutronix to address the issue effectively.