Forescout Technologies has released its Riskiest Connected Devices in 2026 report from Forescout Research – Vedere Labs.
This year’s report highlights a surge in newly identified high-risk device types, with 11 appearing on the riskiest list for the first time, including serial-to-IP converters, time clocks, RFID readers, BACnet routers and medical image printers.
The findings continue a significant shift first observed last year. The rate of change has accelerated sharply, as 40 percent of the riskiest device types were not on the list last year, and 75 percent were not on the list just two years ago. Together, these results show risk spreading across a broader set of device categories that are often harder to inventory, harden or patch consistently.
The full report can be downloaded here.
“Organizations are connecting more specialized devices than ever, many of which are unmanaged and unagented, and adversaries are evolving their attacks accordingly,” said Barry Mainz, CEO, Forescout. “Threat actors are increasingly exploiting east-west traffic and could target emerging device categories like serial-to-IP converters, medication dispensing systems, and RFID readers.
"These devices serve as softer points of entry to the network due to limited hardening, inconsistent patching, widespread use of default credentials, and embedded management interfaces that are rarely monitored compared to traditional endpoints.
"Once a foothold is gained through one of these devices, attackers move laterally across networks to evade traditional, perimeter-focused security layers. In today’s threat landscape, containment is the new control. The ability to automatically contain the blast radius is critical for effective, modern cybersecurity.”
Key findings of the report include:
- 11 new device types appear on the riskiest devices list for the first time: Serial-to-IP Converters and Workstations (IT), Printers, Time Clocks, and RFID Readers (IoT), Power Distribution Units (PDUs), I/O Modules, and BACnet Routers (OT), Medication Dispensing Systems, Medical Image Printers, and DICOM Gateways (IoMT).
- 75 percent of the riskiest device types were not on the list just two years ago, and 40 percent are new to the list this year.
- Network infrastructure devices now represent the highest risk overall, surpassing traditional endpoints across several categories.
- Routers surpassed computers and now account for one-third of the most critical vulnerabilities in organizational networks. Routers and switches average nearly 32 vulnerabilities per device.
- The end of Windows 10 support is accelerating legacy operating system exposure.
- Printers, switches, and IP phones most commonly run outdated or unsupported firmware and are often overlooked in patch management programs.
- SSH is now the second most common protocol observed, with rising usage in nearly every sector analyzed.
- Telnet usage, despite being unencrypted and often found on legacy OT and IoT devices, rose significantly across most sectors.
“The pattern is clear: attackers are testing the edges and targeting devices that bridge or integrate multiple environments, including special-purpose operating systems, embedded management interfaces, and devices that often fall outside standard patch cycles,” said Daniel dos Santos, VP of Research at Forescout.
“We are seeing ransomware threat actors leveraging routers and IP cameras, while malware jumps from IT networks into OT workstations and even medical systems. Defenders need security strategies that can identify, prioritize and reduce risk across IT, OT, IoT, and IoMT domains, combined with automated controls that can adapt as the connected devices in their environment shift.”
