Network Equipment Under Siege: New Report Exposes Widespread Vulnerabilities
A new report by NetRise analyzes the software composition, vulnerabilities, and non-CVE risks present in corporate network equipment—routers, switches, firewalls, VPN gateways, and wireless access points.
NetRise highlights that organizations employ a complex array of software to operate their network equipment, including third-party, open-source programs, applications, containers, and device firmware. Each new software integration carries inherent risks that often go unnoticed. The surge in software supply chain attacks underscores the necessity of the “trust but verify” principle. Companies must have complete visibility into all components and dependencies of their software to minimize risks.
Key findings of the report include:
- Software Inventory for Risk Understanding: NetRise researchers analyzed code and created detailed SBOMs (Software Bills of Materials) for each tested device, uncovering an average of 1,267 software components per device.
- Detailed Software Analysis Outperforms Traditional Vulnerability Scanning: The identified vulnerability risks exceeded traditional scanner results by an average factor of 200. Researchers found 1,120 known vulnerabilities in software components, with more than a third being over five years old.
- Avoid Sole Reliance on CVSS Scores: Of the 1,120 known vulnerabilities in each network device, more than 42% (473) are rated as “High” or “Critical” by CVSS. On average, 20 vulnerabilities are exploited in attacks per device, with only 7 being network-accessible.
The study emphasizes the importance of creating SBOMs—a detailed list of individual software components used in software development. However, only 35% of surveyed organizations produce or generate such lists. In sectors like medical devices and automotive, SBOM usage has become mandatory due to regulatory requirements.
Understanding the software within an organization is crucial for timely investigation and mitigation of cyberattacks. Yet, only 38% of organizations believe they effectively identify and respond to software vulnerability exploits. Additionally, 47% of organizations report that addressing a critical vulnerability takes between one month and six months.
Organizations are increasingly adopting advanced tools for software supply chain analysis and risk management. These tools provide detailed SBOMs, including embedded firmware, operating systems, virtualization software, and applications, identifying both CVE-related and non-CVE risks, and prioritizing discovered risks.
Governments and regulatory bodies are also tightening standards to ensure the security of network equipment and connected devices, mandating adherence to guidelines such as those from the National Institute of Standards and Technology (NIST) and the European Union’s General Data Protection Regulation (GDPR).
Network devices like routers, switches, firewalls, VPN gateways, and wireless access points have become prime targets for cyberattacks. Vulnerabilities in these devices are actively exploited by malicious actors, making them the riskiest category of IT devices. Vulnerabilities in IoT devices have increased by 136% compared to the previous year, highlighting the need for comprehensive security measures for all connected devices.
The report also provides recommendations for organizations to enhance the security of their network equipment. A key recommendation is the detailed analysis of SBOMs to achieve full visibility of software assets. This includes creating comprehensive SBOMs for all software components, third-party libraries, and dependencies, helping to identify vulnerabilities often missed by traditional scanning.
Organizations are also advised to focus on remediating vulnerabilities exploited in attacks and network vulnerabilities, rather than solely relying on CVSS scores. By addressing actively targeted flaws, organizations can more effectively counter the most serious threats.