A new report from Forescout Technologies signals a clear inflection point in enterprise exposure, with network infrastructure overtaking endpoints as the highest-risk category across IT environments. Titled ‘2026 Riskiest Connected Devices,’ the findings point to a shift in attacker focus toward core network layers, where weakly managed, high-impact assets enable lateral movement and persistence, particularly as adversaries increasingly exploit east-west traffic rather than relying on perimeter access.
Based on millions of devices, the Forescout report shows routers alone now account for roughly one-third of the most critical vulnerabilities, with routers and switches averaging nearly 32 vulnerabilities per device. It highlights a rapidly expanding and diversifying attack surface, with 11 new device types entering the riskiest category across IT, OT (operational technology), IoT (Internet of Things) and IoMT (Internet of Medical Things), including serial-to-IP converters, RFID readers, BACnet routers and medication dispensing systems. In total, 40% of device types on this year’s list are new, and 75% were not present just two years ago, reflecting how quickly risk is shifting toward specialized, often unmanaged assets.
Many of these devices operate with outdated firmware, default credentials, or embedded management interfaces that fall outside standard security controls, making them attractive entry points for attackers seeking to pivot across converged IT and operational environments.
“Organizations are connecting more specialized devices than ever, many of which are unmanaged and unagented, and adversaries are evolving their attacks accordingly,” Barry Mainz, CEO at Forescout, said in a Monday media statement. “Threat actors are increasingly exploiting east-west traffic and could target emerging device categories like serial-to-IP converters, medication dispensing systems, and RFID readers. These devices serve as softer points of entry to the network due to limited hardening, inconsistent patching, widespread use of default credentials, and embedded management interfaces that are rarely monitored compared to traditional endpoints. Once a foothold is gained through one of these devices, attackers move laterally across networks to evade traditional, perimeter-focused security layers.”
He added that in today’s threat landscape, containment is the new control. “The ability to automatically contain the blast radius is critical for effective, modern cybersecurity.”
The 2026 Riskiest Connected Devices report identified three new entries targeting OT environments, namely PDUs (power distribution units), I/O modules and BACnet routers, reflecting how risk is expanding deeper into operational infrastructure.
PDUs and UPS devices are critical components used across data centers, where PDUs distribute electrical power to servers, storage and network systems, while UPS devices provide backup power. Both are now commonly network-connected and support monitoring and remote control, which increases their exposure. If these systems are weakly managed or accessible from less-trusted network segments, they can introduce high-consequence risk.
Warnings from the CISA (Cybersecurity and Infrastructure Security Agency) highlight how attackers have targeted UPS devices using default credentials, enabling disruption of critical infrastructure by shutting off power or manipulating voltage, with similar attack paths possible through PDUs.
Physical access control systems and BACnet routers also feature prominently, particularly in smart buildings and industrial facilities. Access control systems manage doors and locks across environments ranging from offices to retail and large venues, and are often found with exposed management services such as Telnet, alongside vulnerabilities with known exploitation history.
BACnet routers, which connect building automation networks such as BACnet/IP and field networks, sit at a critical junction between operational systems and enterprise connectivity. Weak segmentation and poor management controls can significantly elevate risk, especially given that BACnet is one of the most commonly targeted OT protocols. Compromise of these systems goes beyond cyber intrusion, as it can enable unauthorized manipulation of physical systems, including HVAC, lighting, badge access and fire safety functions, amplifying real-world impact.
I/O modules illustrate how deeply embedded devices are becoming part of the attack surface. These components link digital control systems with physical processes by connecting sensor inputs, such as temperature, to actuators such as valves, relays and fans. Whether integrated into PLCs (programmable logic controllers) or deployed as standalone modules, they often lack modern security controls and can be insecure by design. When deployed without proper segmentation, they increase the risk of attackers moving from network access into direct manipulation of industrial processes.
Of the 20 riskiest device types identified in 2026, nine had already appeared in the 2025 report, pointing to a core group of persistently exposed technologies. Routers, VoIP systems and UPS devices have shown consistent risk since 2022, underscoring how foundational infrastructure continues to present enduring security gaps. Routers, in particular, climbed from fifth place in 2025 to first in 2026 within IT environments, having previously ranked first in 2024 and 2022 and third in 2023.
VoIP systems followed a similar trajectory, moving from third place in 2025 to first in 2026 within IoT, after ranking second in 2024, fifth in 2023 and second in 2022. UPS devices also shifted upward, rising from fifth place in 2025 to third in 2026 within OT, after holding the top position in 2024 and 2023 and ranking third in 2022.
Other device types have shown more recent but notable persistence. Domain controllers, firewalls and network video recorders first appeared in 2024 and continue to feature prominently, with firewalls moving from third place in 2025 to fourth in 2026 within IT, domain controllers slipping from fourth to fifth, and NVRs dropping from first place in 2025 to fourth in 2026 within IoT.
Meanwhile, physical access control systems and imaging systems, which emerged in 2025, remain high on the list, with physical access control systems rising from fourth to second place in OT. In healthcare environments, imaging devices that ranked first in IoMT in 2025 have evolved into more specific classifications, with MRI scanners now appearing as a named device type and ranking fifth in 2026, while healthcare workstations declined from third place in 2025 to fifth in 2026.
The 2026 Riskiest Connected Devices report also surfaces sharp disparities across industries, with financial services and government organizations carrying materially higher average risk than other sectors in the dataset. Risk levels in financial services are more than three times higher than in retail, while government risk is more than double that of manufacturing, highlighting a stark divide between these sectors and the rest of the field.
At the same time, operating system fragmentation is expanding the attack surface, as special-purpose operating systems increasingly dominate in government, healthcare and retail environments, while traditional IT operating systems remain prevalent in financial services and manufacturing. Mobile operating systems have declined significantly and are now meaningfully represented only in healthcare, where they account for about 8% of devices.
2026 Riskiest Connected Devices data also identified that the impending end of support for Windows 10 is further reshaping the legacy operating system landscape, with older Windows versions most prevalent in retail at 39%, followed by healthcare at 35% and financial services at 29%.
Across environments, printers, switches and IP phones are among the devices most likely to run outdated or unsupported firmware, and they are frequently overlooked in patch management programs. The report also points to a shift in protocol exposure away from traditional IT vectors toward embedded management interfaces, as RDP and SMB usage have stabilized or declined across most industries, while SSH and Telnet are rising, signaling increased exposure of OT and IoT infrastructure.
Persistent weaknesses in credential and vulnerability hygiene remain a concern, with default credentials most commonly found on printers, print servers, PLCs and serial-to-IP converters. Routers and switches, meanwhile, average 32 vulnerabilities per device and account for 34% of devices with the most critical vulnerabilities, reinforcing their position as some of the most exposed and consequential assets on enterprise networks.
The 2026 Riskiest Connected Devices report identified that riskiest IoMT device types have shifted sharply from 2025, with several new entries now dominating the top tier, including medication dispensing systems, medical image printers, DICOM gateways and MRI scanners alongside healthcare workstations. Medication dispensing systems have carried known security weaknesses for nearly a decade, dating back to research by Billy Rios, who identified more than 1,400 vulnerabilities tied to third-party components in widely used platforms. The latest data shows these systems continue to run outdated firmware, allowing long-standing flaws to persist and remain exploitable in clinical environments.
Imaging-related systems continue to surface as a consistent source of risk, but the category has become more defined. Where earlier reports grouped these assets broadly, 2026 isolates MRI scanners, DICOM gateways and medical image printers as distinct high-risk device types. These systems are tightly integrated with Picture Archiving and Communication System platforms for storing and retrieving medical images and depend on extensive network connectivity to support image-sharing workflows.
Many still rely on legacy hardware and vulnerable operating systems, and both medical image printers and DICOM gateways are frequently found running outdated firmware. Their reliance on the DICOM standard, which governs both image formats and communication protocols, further expands exposure. Past research has shown how attackers scan the internet for exposed imaging systems and exploit weaknesses in DICOM implementations to access patient data or pivot deeper into healthcare networks.
Healthcare workstations remain a critical weak point because of their central role in clinical operations. These systems are used to access and manage patient data, interface with diagnostic equipment and support imaging, treatment planning and clinical workflows. They are deeply integrated with electronic health records and billing systems, often using standards such as HL7, which increases both their connectivity and their attack surface. As they provide direct access to sensitive clinical data and operational systems, they are high-value targets for ransomware groups and consistently rank among the most vulnerable device types in enterprise healthcare environments.
In its conclusion, the 2026 Riskiest Connected Devices report noted that the attack surface in modern organizations spans IT, IoT, and OT, with the IoMT, adding complexity in healthcare. Focusing security efforts on a single domain is no longer sufficient: attackers exploit weaknesses across multiple environments and pivot between them. From ransomware targeting IP cameras and routers to IT malware infecting OT workstations and IoT botnets with credentials for medical systems, the impact is real.
The report assessed the current risk across this expanded attack surface and identified the riskiest connected devices that warrant priority attention. Effective defense requires security strategies that identify, prioritize, and reduce risk across IT, OT, IoT, and IoMT, rather than managing each domain in isolation.
As threat actors increasingly target network infrastructure and other less-protected devices alongside traditional endpoints, organizations need a consistent approach to risk and exposure management across all connected devices. Mitigation should also scale beyond assessment. Organizations benefit from automated controls that operate across the enterprise, not only within isolated IT, OT, or IoT environments, and that do not rely exclusively on endpoint agents. To sustain risk reduction, controls should support continuous risk reduction, enforcement, and verification across interconnected systems.
