The US Federal Communications Commission (FCC) has expanded its “Covered List” to include certain foreign-made consumer routers, a move that will block new models from receiving equipment authorisation and prevent them from being imported or sold in the United States. The decision reflects growing concern around supply chain security and the potential for foreign state interference in critical network infrastructure. Routers occupy a uniquely sensitive position in both home and enterprise environments, acting as gateways for vast volumes of data.
However, cybersecurity experts said the focus on where devices are manufactured risks missing more fundamental and immediate security challenges.
Supply chain concerns only tell part of the story
Shane Barney, CISO at Keeper Security, said the regulatory move signals a broader shift but warns against narrowing the issue to geography alone. “Moves by regulators to restrict new authorisations for foreign-made routers reflect growing concern around supply chain integrity, but focusing solely on country of origin risks oversimplifying a much broader security challenge.”
He pointed out that routers and network devices are often treated differently from other IT assets, despite their critical role. “In enterprise environments, routers and network devices are seen not just as connectivity tools, but as high-value control points that sit outside traditional security oversight.”
This lack of oversight often leads to inconsistent patching, weak governance and limited integration with identity and access management systems. As a result, routers can provide attackers with persistent and low-visibility access into networks.
Millions of vulnerable devices still in use
While the FCC’s action targets future imports, it does not address the vast number of routers already deployed. Rik Ferguson, VP of Security Intelligence at Forescout, highlighted the scale of that issue and said: “Adding foreign-made consumer-grade routers to the FCC Covered List blocks new models from getting FCC equipment authorisation, but it doesn’t magically secure the millions of routers already deployed.”
These devices often remain in service long after support ends, creating a significant and enduring attack surface, he noted.
“The installed base matters because it’s where so many attackers already live, in exposed management interfaces, abusing weak or reused admin credentials, and slow patching cycles, or end-of-life equipment that still works,” Ferguson explained. He added that many users are reluctant to interact with their routers at all, which further compounds the problem.
Routers now among the most dangerous devices
Recent findings highlighted by Forescout’s Vedere Labs show a clear shift in the threat landscape. Routers and other network infrastructure devices have now overtaken endpoints as the riskiest category of IT assets in many environments. Daniel dos Santos, VP of Research at Forescout, said the data reflects a growing trend. “Routers are now the riskiest devices we see nowadays, both in enterprise and consumer environments,” he said. “These devices have overtaken endpoints as the riskiest category of IT devices,” dos Santos explains. “They are also one of the fastest-growing categories for exploitation.”
Routers are not only targeted for vulnerability exploitation. Weak or reused credentials remain a common entry point, particularly for management interfaces exposed to the internet. Compromised devices are frequently used to build botnets, enabling distributed denial-of-service attacks or acting as proxy infrastructure. What was once primarily the domain of cybercriminals is now increasingly associated with state-backed activity.
Geopolitical risks remain relevant
Although experts cautioned against overemphasising country of origin, they acknowledge that foreign-manufactured routers can introduce legitimate concerns.
Dos Santos noted that there is potential for state influence, including covert communication channels embedded in hardware or firmware. In some cases, national laws may require companies to disclose vulnerabilities to government authorities before public disclosure, creating potential advantages in zero-day exploitation scenarios. Recent vulnerabilities identified in widely used consumer routers demonstrate that risks exist across manufacturers and geographies, reinforcing the need for consistent security standards, he said.
Securing routers requires a Zero Trust approach
Barney argued that organisations must rethink how they treat network infrastructure. “Organisations must treat network infrastructure as a core component of a zero-trust architecture. Every access request, whether human or machine, must be continuously verified, tightly controlled and fully auditable,” he said.
Without strong identity governance and privileged access management, a compromised router can quickly enable lateral movement across systems. He added that organisations prioritising least privilege, credential security and centralised visibility will be better positioned to manage both supply chain risks and active threats.
Practical steps matter more than origin
Experts agreed that immediate action is essential, particularly as hybrid working environments extend corporate risk into home networks. Recommended steps included replacing unsupported devices, applying firmware updates, disabling remote management interfaces, enforcing strong and unique credentials, and segmenting IoT devices from business systems. Importantly, these measures reduce risk regardless of where a device is manufactured.
