Forescout has identified a sharp shift in enterprise cyber risk, with network infrastructure now surpassing traditional endpoints as the most vulnerable part of organisational environments.
In its latest Riskiest Connected Devices in 2026 report, based on analysis of millions of assets in its Device Cloud, the company highlighted how the threat landscape from a device perspective is changing. Notably, 75% of the riskiest device types were not on the list just two years ago, underlining the speed at which new attack surfaces are emerging.
A key finding is the rise of network infrastructure as the primary risk category, with routers overtaking computers and accounting for around one-third of the most critical vulnerabilities. On average, routers and switches now carry nearly 32 vulnerabilities per device.
The report also introduced 11 device types appearing on the high-risk list for the first time, including serial-to-IP converters, RFID readers, BACnet routers and medical image printers. Many of these sit outside traditional IT security controls, making them harder to monitor, patch, or even identify.
According to Forescout, this reflects the broader trend of organisations are deploying more specialised, often unmanaged devices across IT, OT, IoT and IoMT environments that create new entry points for attackers.
Barry Mainz, CEO at Forescout, warned that adversaries are exploiting these gaps. “Many of these devices lack proper hardening, use default credentials, and are rarely monitored in the same way as endpoints,” he said. “Once attackers gain access, they can move laterally across the network, bypassing perimeter-focused defences. Containment is now critical to limiting impact.”
The findings also point to growing exposure from legacy systems, particularly as Windows 10 approaches end of support. Legacy operating systems remain widespread in sectors such as retail (39%), healthcare (35%) and financial services (29%). Meanwhile, commonly overlooked devices such as printers, switches and IP phones frequently run outdated firmware.
At the same time, protocol usage trends are shifting, increasing risk further. SSH is now the second most observed protocol across environments, while insecure Telnet usage continues to rise, particularly in financial services and manufacturing, despite its lack of encryption.
Daniel dos Santos, VP of Research at Forescout, noted that attackers are targeting devices that bridge environments. “We’re seeing ransomware actors leverage routers and IP cameras, while malware moves from IT into OT and even medical systems,” he said. “Security strategies must evolve to provide visibility and control across all connected domains.”
Overall, the report demonstrated how risk is no longer concentrated in traditional endpoints but is spreading across a diverse and often unmanaged device ecosystem, requiring organisations to rethink how they identify, prioritise and contain threats.
