Forescout dropped their 2026 Riskiest Connected Devices report today. The headline number: routers and switches average 32 known vulnerabilities per device. Routers are, again, the highest-risk IT asset category. None of this is surprising if you've spent any time looking at what's actually running inside a small business network.
What does this actually look like in the field?
I spent years at Tele-Dynamics doing network assessments for SMBs. Not Fortune 500 companies with dedicated security teams and change management processes. Companies with 20 to 200 employees, maybe an IT guy, maybe an MSP that comes in twice a month.
Outdated firmware was everywhere. Constantly. Always. All the time. Companies without a real IT department were the worst, but even companies with IT staff had gear running firmware from two or three years ago. The reasons were always the same: nobody knew updates existed, nobody wanted to schedule the downtime, and nobody wanted to pay the IT person overtime to do it after hours.
I don't think most of these businesses even understood that their routers and switches receive firmware updates. They treated network gear like furniture. You install it, it works, you forget about it. The idea that a router needs regular maintenance the same way a server does just wasn't on anyone's radar.
Why were SonicWalls always the worst?
SonicWalls were the worst offenders, and it wasn't just because people forgot. SonicWall ties firmware access to an active support subscription. If your subscription lapses, you don't get access to newer firmware versions. Full stop.
So you'd walk into a company running a SonicWall with a two-year-old firmware version, and even if they wanted to update, they couldn't without re-upping their subscription first. That's an extra cost nobody budgeted for, an extra conversation nobody wanted to have with the business owner, and an extra delay on top of the delay that already existed because nobody was checking in the first place.
The result is exactly what Forescout's data shows: piles of known vulnerabilities sitting in production because the update path has friction that small businesses don't push through.
The companies most likely to have outdated firmware are the same companies least likely to know it, least likely to have a process for fixing it, and most likely to have everything on one flat network where a compromised router can see everything.
What happens when you try to schedule an update?
Even when customers knew their gear needed updating, scheduling it was a fight. Way back when, the question was always "who will be onsite in the morning if something goes wrong?" Nobody wanted to authorize a firmware update on Friday night and then wonder all weekend if the office would have internet on Monday.
These days the conversation has shifted mostly to downtime. How long will the network be down? Can we do it during business hours? The move to cloud-based everything has actually made this easier. When most of your critical applications are SaaS and your staff can work from their phones for 20 minutes, the stakes of a router reboot are lower than they used to be. But getting to that conversation still requires someone to notice the update exists, schedule it, test it, and follow through. For a lot of SMBs, that someone doesn't exist.
How do you actually stay on top of this?
At Tele-Dynamics we used RMM tools like Kaseya and N-able. Those platforms track firmware versions, flag when updates are available, and give you a dashboard view of every device across every client. That's the baseline. If you're managing network gear for customers, or even just managing your own office network, you need something that inventories what you have and tells you when it's out of date.
The number one way companies screw this up is having an in-house IT person with no monitoring software. They're relying on memory, or they're waiting for an email from the vendor saying there's an update. That email might come. It might not. It might go to a distribution list nobody reads. It might land in spam. It's not a system. It's a hope.
Forescout's data says the average time to exploit for network device CVEs is measured in days, not months. If your update process depends on someone remembering to check a vendor portal every few weeks, you're behind before you start.
What does "32 vulnerabilities per device" actually mean for you?
Forescout's number sounds dramatic, and it is, but it needs context. Not all 32 are critical. Not all are remotely exploitable. Some require specific configurations or network positions to exploit. The number includes everything from information disclosures to remote code execution.
But here's what matters for a small business: you don't get to pick which of those 32 vulnerabilities an attacker finds first. If your router is running firmware from 2024, you're carrying every vulnerability disclosed since then. Some of those will be in CISA's Known Exploited Vulnerabilities catalog. Some of those will have public exploit code. And your router is the device that sees every packet on your network.
The Forescout report also flagged that routers remain the highest-risk IT category for the second year running. Financial services and government lead in average device risk, but the pattern applies everywhere. Routers are the spine. When the spine is compromised, everything connected to it is exposed.
What should you do this week?
Log into your router and check the firmware version. Compare it to what's current on the manufacturer's website. If you're more than one major version behind, update it. If you can't update because your support subscription lapsed, that's a conversation worth having with whoever manages your budget.
Do the same for your switches and firewall. Routers get the attention because they face the internet, but a compromised switch on the inside of your network is just as dangerous. Check every managed device.
If you have more than a handful of devices, get an RMM tool. Kaseya, N-able, Datto, whatever your MSP uses. The tool matters less than having one. You need something that tells you what's out of date without you having to remember to check.
If you're using an MSP, ask them for a firmware report. They should be able to produce a list of every network device, its model, and its current firmware version. If they can't, you have an MSP problem on top of a firmware problem.
Thirty-two vulnerabilities per router is a statistic. One unpatched router on a flat network with your accounting software, your file shares, and your VoIP phones is a Tuesday waiting to go wrong.