Sources: Forescout Vedere Labs “Riskiest Connected Devices in 2026” report (March 23, 2026), Industrial Cyber, Help Net Security, CIO Influence, SecurityWeek, VMBlog. Report analyzed millions of devices in Forescout’s Device Cloud across 10 major vertical industries. Published March 23, 2026.
Table of Contents
- Your Router Is the Most Dangerous Device on Your Network. Not Your Laptop. Your Router.
- 32 Vulnerabilities Per Device, on Average. And Most Are Never Patched.
- The Big Reversal: When Network Devices Became More Dangerous Than Computers
- 11 New Device Types Made This Year’s Riskiest List. The Time Clock Is One of Them.
- The Full 2026 Riskiest Devices List Across IT, IoT, OT, and Healthcare
- How Attackers Actually Use Your Router to Get Everywhere Else
- The Healthcare Problem: MRI Scanners, Medication Dispensers, and a Decade of Known Bugs
- Why Network Devices Are So Hard to Secure
- What Changed in One Year: 75% of the List Did Not Exist Two Years Ago
- What to Actually Do About This
Your Router Is the Most Dangerous Device on Your Network. Not Your Laptop. Your Router.
Forescout’s Vedere Labs team has been publishing its Riskiest Connected Devices report since 2020. They analyze millions of real devices, not lab samples, not survey responses, using data pulled from Forescout’s Device Cloud across organizations in 10 major industries. The methodology is multifactor: configuration problems, vulnerability counts, exposed services, and how critical the device is to the business if it gets compromised. Every year the report produces a ranked list of which device categories are most likely to get attackers into your network and cause real damage when they do.
The 2026 edition dropped on March 23 and it has one headline finding that should change how you think about your network security posture. The riskiest device category in enterprise IT is no longer the computer. It is the router. It surpassed computers in 2024 and has continued to widen the gap since. The average router or switch in an enterprise network carries 32 known vulnerabilities per device, and routers alone account for 34 percent of the devices with the most critical vulnerabilities across the entire dataset of millions of devices.
Think about what that means practically. Most organizations’ security investment focuses on endpoints: antivirus on laptops, EDR on servers, email filtering, endpoint detection. The router sitting at the edge of the network, or the stack of switches connecting everything in the server room, is getting a fraction of that attention. And according to Forescout’s data, it is significantly more dangerous from a vulnerability standpoint than the devices getting all the security investment.
32 Vulnerabilities Per Device, on Average. And Most Are Never Patched.
The 32-vulnerability average for routers and switches is not just a large number. It is a large number attached to a device category with specific characteristics that make those vulnerabilities much harder to address than equivalent vulnerabilities in software running on a managed computer.
Routers run specialized firmware rather than general-purpose operating systems. Firmware updates are infrequent, require manual intervention, carry a real risk of disrupting connectivity if something goes wrong, and in many cases require a maintenance window because applying the update brings the device down temporarily. Organizations that patch their laptops automatically every Tuesday often have routers running firmware that is two or three years old because nobody has scheduled the patching window and nobody wants to be responsible for taking the edge device down during business hours.
Many enterprise routers also have management interfaces that are either exposed to the internet by misconfiguration or accessible from much broader network segments than they should be. The January 2026 Interlock ransomware attack on Cisco Firewall Management Center, covered in CyberDevHub’s earlier security article this month, is exactly this pattern at its most consequential. The management interface of a network device, running old firmware with an unpatched vulnerability, becomes the way attackers get from the internet to everywhere inside your network.
Forescout’s research specifically notes that network infrastructure devices serve as entry points for lateral movement specifically because once you compromise the network layer itself rather than a device that runs on top of it, you have visibility into all traffic passing through that device and implicit access to adjacent network segments. Compromising a laptop gives you one foothold. Compromising a core switch gives you a vantage point into the entire network it connects.
The 2026 riskiest IT device top five (Forescout, based on millions of real enterprise devices):
1. Router (most critical vulnerabilities, highest exploitability, lateral movement gateway)
2. Serial-to-IP converter (NEW this year, bridges legacy and modern infrastructure)
3. Workstation (NEW in top five, default credentials and limited monitoring)
4. Firewall (the device designed to protect you can be the entry point)
5. Domain controller (compromising this is game over for the entire network)
Routers and switches average 32 vulnerabilities per device and account for 34% of devices with the most critical vulnerabilities across the enterprise.
The Big Reversal: When Network Devices Became More Dangerous Than Computers
It was not always this way. For most of the history of enterprise security, the computer was the primary risk surface. Phishing email lands in a mailbox, user clicks a link, malware installs on the endpoint, attacker has a foothold. The entire security industry grew up around that model. Antivirus, EDR, email filtering, user awareness training: all of these are endpoint-centric defenses because endpoints were where the attacks happened.
Forescout’s longitudinal data shows the turning point. At the beginning of 2023, endpoints were still riskier than network devices in their scoring. By the end of 2023, the situation had reversed: network infrastructure had accumulated more vulnerabilities and was being exploited more actively than traditional endpoints. The 2024 report confirmed it and the 2026 report shows the gap widening, not closing.
Two things drove the shift. First, attackers got smarter about targeting. They realized that network infrastructure is the overlooked layer in most organizations’ defenses and started investing in finding and exploiting vulnerabilities there. Several major vulnerability research groups and nation-state threat actors published significant router and network device exploits between 2022 and 2025, and the attack community responded by building capabilities around those discoveries. Second, the scale of internet-exposed network management interfaces increased as organizations added more remote access, more cloud-connected infrastructure, and more devices at the edge, often without extending their security practices to cover the new exposure.
The result is a structural mismatch between where organizations spend security money and where the actual risk now sits. Most security budgets reflect the threat model of 2018. The Forescout data describes the threat model of 2026.
11 New Device Types Made This Year’s Riskiest List. The Time Clock Is One of Them.
The specific list of new entrants to the 2026 riskiest devices report tells you something about how the attack surface is evolving in a way that the top-line router finding does not fully capture. Eleven device categories appeared on the riskiest list for the first time this year. Among them: serial-to-IP converters, RFID readers, time clocks, BACnet routers, and medical image printers.
The time clock is the one that deserves specific attention because it is the most counterintuitive entry. Time clocks are the devices employees use to punch in and out of work. They are physically present in most workplaces. They connect to the corporate network to sync employee hours with payroll systems. And most IT teams have never audited them for security, never applied firmware updates to them, and probably could not easily answer the question of which network segments they have access to or what default credentials are still configured on them. They are exactly the kind of device the Forescout report identifies as highest risk: widely deployed, always connected, almost never monitored, and bridging the physical and network environment in ways that make them useful as pivot points for attackers who gain access.
BACnet routers are another new entry worth understanding. BACnet is a networking protocol used specifically for building automation: HVAC, lighting, access control, elevators. A BACnet router is a device that connects building management systems to IP networks. In a hospital, university, or large commercial building, the BACnet layer controls physical access and environmental systems. Compromising a BACnet router means potential access to building systems that most IT security teams do not even know are on the corporate network because they were installed and managed by facilities teams rather than IT. The convergence of physical infrastructure and IP networks has been creating this category of invisible risk for years and the 2026 data shows it is now significant enough to appear in the top riskiest device rankings.
The rate of change in the list is the most alarming overall finding. 40 percent of the riskiest device types were not on the list last year. 75 percent were not on the list just two years ago. The attack surface is not evolving gradually. It is shifting rapidly, with new device categories entering high-risk territory faster than security teams are adapting their monitoring and defense practices to cover them.
The Full 2026 Riskiest Devices List Across IT, IoT, OT, and Healthcare
| Category | Top 5 Riskiest Device Types (2026) | New This Year? | Primary Risk Factor |
|---|---|---|---|
| IT | Router, Serial-to-IP converter, Workstation, Firewall, Domain controller | Serial-to-IP converter, Workstation are new | 32 avg vulnerabilities per router/switch, default credentials, rarely patched firmware |
| IoT | VoIP system, Printer, Time clock, Network video recorder (NVR), RFID reader | Time clock, RFID reader are new | Default credentials, internet exposure, no security agent support, firmware update gaps |
| OT (Industrial) | Power distribution unit (PDU), Physical access control, UPS, I/O module, BACnet router | BACnet router is new | Legacy protocols, IT/OT convergence creates new lateral movement paths, safety-critical systems |
| IoMT (Healthcare) | Medication dispensing system, Medical image printer, DICOM gateway, MRI scanner, Healthcare workstation | Medical image printer, DICOM gateway are new | Decade-old known vulnerabilities in medication systems, direct access to patient records and billing |
How Attackers Actually Use Your Router to Get Everywhere Else
The reason routers sit at the top of the risk list is not just that they have the most vulnerabilities. It is that compromising a router gives an attacker something qualitatively different from compromising a workstation: network-layer visibility and control over everything that passes through it.
Once an attacker has a foothold on a router, they can observe traffic passing through it in ways that are invisible to endpoint security tools. They can identify other devices on adjacent network segments that they cannot reach directly from the internet. They can intercept credentials being transmitted across the network, including credentials used to authenticate to other systems. They can modify routing tables to redirect traffic. And they can establish persistence through mechanisms in the router’s firmware that will survive reboots, factory resets of individual applications, and endpoint security scans, because none of those actions touch the network device itself.
Forescout’s Daniel dos Santos summarized the pattern from the research: “We are seeing ransomware threat actors leveraging routers and IP cameras, while malware jumps from IT networks into OT workstations and even medical systems.” That cross-domain pivot is what makes network infrastructure compromise so consequential compared to endpoint compromise. An attacker who gets onto a workstation is in one part of the network. An attacker who gets onto the core switch or the edge router is potentially in all of it.
The GlassWorm supply chain attack covered in CyberDevHub’s earlier security article this month used GitHub developer accounts as the entry point. A network-layer attack using a compromised router skips the application layer entirely. The attacker does not need to trick a developer into installing a malicious VS Code extension. They find a router running unpatched firmware, exploit the vulnerability, and start observing traffic. The initial access is quieter and the persistence is deeper because it lives below the operating system layer that most security tools monitor.
The Healthcare Problem: MRI Scanners, Medication Dispensers, and a Decade of Known Bugs
The IoMT section of the Forescout report is the one that should concern anyone who has recently been a hospital patient or works in healthcare IT. Medication dispensing systems, the automated cabinets that store and dispense controlled substances and other medications in hospital settings, have carried known security vulnerabilities for nearly a decade. A researcher named Billy Rios identified more than 1,400 vulnerabilities tied to third-party components in widely used medication dispensing platforms in work published years ago. The 2026 Forescout report shows these systems continue to run outdated firmware with those long-standing flaws still present and still exploitable.
The reason this persists despite being known for so long is the specific operational context these devices exist in. A medication dispensing system in a hospital cannot simply be taken offline for a firmware update during business hours. The update process carries risk of disrupting access to medications that patients may need urgently. Healthcare IT teams face a genuine trade-off between security patching and patient safety that does not exist in the same form for enterprise laptops. The result is systems where known critical vulnerabilities survive for years because the operational risk of patching them is real and the security risk is sometimes treated as abstract until something goes wrong.
MRI scanners and DICOM gateways, the medical imaging communication infrastructure, are new entries to the IoMT riskiest list this year. These systems are deeply integrated with electronic health records and billing systems. They use the HL7 medical data standard, which provides broad connectivity with other clinical systems. An attacker who compromises a DICOM gateway has a path to patient data, billing systems, and other connected clinical infrastructure that is both high-value and poorly defended. Financial services records the highest average device risk in 2026 according to Forescout, followed by government and healthcare. Those three sectors together describe the infrastructure that manages money, citizen data, and people’s physical health. They are the sectors where successful attacks have the most consequential real-world impact and they are consistently at the top of every risk ranking.
Why Network Devices Are So Hard to Secure
There are specific structural reasons why network devices consistently outrank endpoints in vulnerability counts and why those vulnerabilities persist longer, and understanding them helps explain why the problem does not resolve quickly even when organizations are aware of it.
Specialized firmware is the primary factor. Consumer and enterprise routers, switches, and purpose-built network devices run firmware that is specific to the hardware rather than a general-purpose operating system that a vendor maintains with regular security updates. Firmware updates are less frequent, require more careful testing before deployment because a bad update can render the device inoperable, and in many cases require manual intervention on a physical device rather than a push-button update through a management system. The operational friction of patching network device firmware is genuinely higher than the operational friction of patching Windows or macOS.
Embedded management interfaces create exposure that is easy to overlook. Most enterprise routers and switches have web-based or SSH-accessible management interfaces that were designed for legitimate administrative use and are secured by credentials. When those credentials are the factory defaults that were never changed, or when the management interface is reachable from network segments it should not be reachable from, the interface becomes an attack surface. Forescout’s data specifically notes that these embedded interfaces “are rarely monitored compared to traditional endpoints.” A management interface on a router that nobody is watching for unusual activity is a target that can be compromised and used persistently without triggering any alerts in most organizations’ security monitoring.
The convergence of IT and OT is the third factor the report identifies. As industrial control systems, building management systems, and medical devices have become IP-connected, they have joined the same network fabric as traditional IT infrastructure. But the security practices developed for IT do not automatically transfer to OT and IoMT environments. The devices operate differently, are managed by different teams, run different operating systems and protocols, and have different operational constraints on when and how updates can be applied. The result is a large and growing population of network-connected devices that exist in a security gap between IT and operational teams.
What Changed in One Year: 75% of the List Did Not Exist Two Years Ago
The rate-of-change finding in the Forescout report is the one I keep coming back to because it changes the operational implication of the data. If the riskiest device list were stable year over year, organizations could do a one-time inventory, identify their exposure, implement controls, and expect those controls to remain relevant. That is not the situation the 2026 data describes.
Forty percent of the riskiest device types were not on the list last year. Seventy-five percent were not on the list two years ago. The attack surface is evolving faster than most organizations’ risk management cycles. An organization that completed a thorough device risk assessment in 2024 and implemented appropriate controls may have addressed risks that are now less important while new risk categories have emerged that their 2024 controls do not cover.
The practical implication is that device risk assessment cannot be a point-in-time activity. The Forescout report’s core recommendation is continuous monitoring and automated risk scoring rather than periodic audits. Organizations that maintain a live inventory of all connected devices, continuously updated with current vulnerability and configuration data, are positioned to respond to emerging risk categories as they appear. Organizations that run annual or quarterly assessments are working with data that is already outdated relative to how quickly the risk profile is shifting.
The financial services sector finding is worth emphasizing specifically for readers in that industry. Financial services records average device risk more than three times that of retail, according to Forescout. Government is more than double manufacturing. The sectors with the most sensitive data and the most regulatory exposure are the ones with the highest device risk. Whether that is because they attract more sophisticated attackers, because they have more complex and heterogeneous device estates, or because the operational constraints on patching are particularly severe in those environments, the risk concentration is real and documented across millions of actual devices.
What to Actually Do About This
Forescout’s report does not just document the problem. It ends with specific recommendations that are worth passing along because they address the structural issues rather than just saying “patch your devices.”
The first recommendation is the hardest: upgrade, replace, or isolate OT and IoMT devices running legacy operating systems with known critical vulnerabilities. For devices like medication dispensing systems with a decade of known unpatched vulnerabilities, the realistic path is often network isolation rather than patching. Place them on a dedicated VLAN with firewall rules that permit only the specific traffic they need for their legitimate function. A medication dispensing system that can only communicate with the pharmacy management system it needs to talk to and nothing else has a much smaller blast radius if it is compromised than one with broad network access.
The second recommendation is automated device compliance verification and enforcement. Devices that fail a compliance check, running prohibited firmware versions, using default credentials, or exposing management interfaces to unauthorized network segments, should not be able to connect to the network until the issue is remediated. This requires a network access control system with current device inventory and policy enforcement, which is more investment than many organizations have made, but is the only way to operationalize the “contain the blast radius” posture that the report describes as the new security imperative.
The third recommendation is network segmentation applied specifically to the device categories that appear on this list. Routers, switches, and network infrastructure management should be on dedicated management VLANs accessible only from authorized administrator workstations through authenticated channels. Time clocks, printers, VoIP phones, and IP cameras should be on dedicated IoT network segments that cannot initiate connections to core business systems. Building automation devices should be on OT segments isolated from IT networks except through specific controlled integration points.
None of these are simple projects. They require inventory, network architecture work, policy configuration, and ongoing maintenance. The Forescout data makes the case for why the investment is justified: the riskiest devices on your network right now are the ones that most organizations are spending the least security effort on, and attackers have figured that out.
What does your organization’s router patching cycle look like right now? And has anyone on your team ever actually audited which devices are connected to your network and what firmware they are running? Drop your honest answer in the comments. The gap between what organizations think they have on their network and what the discovery tools actually find is one of the most consistent surprises in enterprise security work.
References (March 24, 2026):
Forescout Vedere Labs: “Riskiest Connected Devices in 2026” (primary report, published March 23, 2026): forescout.com/research-labs/riskiest-devices
Help Net Security: “The devices winning the race to get hacked in 2026” (32 vulnerabilities avg, top 5 lists): helpnetsecurity.com
Industrial Cyber: “Forescout 2026 Riskiest Connected Devices report warns of rising OT, ICS risk” (34% critical vulns, medication dispensing history, Daniel dos Santos quote): industrialcyber.co
CIO Influence: “Forescout’s 2026 Riskiest Connected Devices Report Highlights 11 New Device Types” (11 new entries, 75% turnover in two years, financial services 3x retail risk): cioinfluence.com
VMBlog: Full report coverage and Daniel dos Santos VP Research quote: vmblog.com
SecurityWeek: Forescout 2025 riskiest devices historical context (router overtaking endpoints, endpoint-to-network reversal timeline): securityweek.com
Organizations spent billions hardening laptops and servers.
Attackers moved to the routers, switches, and time clocks that nobody was watching. The 2026 data confirms it worked.
Leave a Reply