The annual riskiest connected devices reports are always worth reading carefully β€” not because they deliver surprises, but because they document how fast the attack surface is moving in a direction most enterprise security teams are still trying to catch up to. The 2026 edition makes that acceleration impossible to ignore.

Routers now top the list as the single highest-risk connected device category in enterprise environments, averaging 32 vulnerabilities per device and accounting for roughly one-third of critical vulnerabilities identified across corporate networks. That is not a marginal finding. It represents a structural shift in where attackers are finding their entry points β€” and it has direct implications for every organization managing a connected office, an OT network, or a smart building.

What Changed Between 2024 and 2026

The most striking number in this year’s data is not the router figure. It is this: 40% of device types on the 2026 riskiest list are new entries that were not there two years ago, and 75% of all entries on the current list were absent from the 2024 version entirely.

That rate of change is unprecedented in connected device security research. It signals something important: the threat surface is not just growing β€” it is rotating. Categories that seemed peripheral or low-risk two years ago are now primary targets, either because attackers have found new exploitation paths or because the sheer volume of these devices in enterprise environments has made them attractive at scale.

The expansion is not limited to traditional IT networking equipment. The 2026 list includes new entrants from OT and building automation environments that would have seemed unlikely candidates for enterprise security attention as recently as 2023.

The New OT and Building Automation Entrants

Among the categories entering the riskiest device list for 2026 are power distribution units (PDUs), input/output modules, BACnet routers, serial-to-IP converters, and RFID readers.

These are not exotic or rare devices. They are standard components in smart office deployments, industrial facilities, and modern commercial buildings. Every organization that has implemented building automation, access control, energy management, or HVAC monitoring at any meaningful scale is running at least some of these devices on their network.

PDUs are ubiquitous in data centers and server rooms. They provide remote power control, environmental monitoring, and circuit-level metering β€” capabilities that require network connectivity and, in many cases, expose management interfaces that are insufficiently secured or running outdated firmware.

BACnet routers are the protocol bridges that connect building automation systems β€” HVAC, lighting, elevators, access control β€” to IP networks. They sit at the intersection of OT and IT, often with poor segmentation on both sides, and they are rarely updated with the same urgency applied to enterprise IT equipment.

Serial-to-IP converters perform a similar bridging role for legacy OT equipment that predates Ethernet connectivity. They take RS-232 or RS-485 signals from PLCs, meters, and industrial sensors and expose them over TCP/IP. The security model for serial communications assumed physical access was required; the converter removes that assumption entirely.

RFID readers appear in access control systems, asset tracking infrastructure, and supply chain management. They are physically distributed throughout facilities, often with network connectivity and management interfaces that receive infrequent security attention.

The appearance of all four of these categories on the 2026 riskiest list is a direct consequence of smart building adoption. Organizations that deployed connected building infrastructure over the past five years are now discovering that the security assumptions embedded in those deployments were insufficient.

Why Routers Specifically?

The router finding deserves specific attention because it runs counter to a common assumption: that network infrastructure, as a managed IT asset, receives adequate security attention.

The average of 32 vulnerabilities per router device reflects several compounding problems. Firmware update cycles for routers β€” even enterprise-grade models β€” tend to lag behind the pace of vulnerability discovery. Many organizations treat routers as long-lived infrastructure assets with update cycles measured in years, not months. Default credential exposure remains endemic: studies consistently find that a substantial percentage of internet-facing routers retain factory credentials or use predictable administrative passwords.

The router category encompasses a wide range, from consumer-grade SOHO equipment used in branch offices and remote work environments to industrial cellular routers used in OT field deployments. The research data for this year reflects that breadth β€” and finds that neither end of the spectrum is performing well on security hygiene.

The concentration of critical vulnerabilities in routers also reflects their position in network architecture. A compromised router provides attackers with a pivot point that touches all network segments it routes between. In environments with IT/OT convergence, a compromised router at the boundary between the corporate network and the OT environment is not just a network access problem β€” it is a potential path to production systems, safety instrumentation, and building automation.

Sector Risk Is Not Distributed Evenly

One of the more significant findings in this year’s data concerns the distribution of connected device risk across industry sectors. Government sector risk from connected devices is more than double that of manufacturing. Financial services sector risk is more than three times higher than retail.

These numbers challenge the common assumption that manufacturing and critical infrastructure carry the highest IoT/OT risk. Government environments β€” federal agencies, state and local government, defense contractors β€” are running large inventories of connected devices across highly variable security environments, from well-resourced federal IT to underfunded municipal networks. The attack surface in that category is both large and inconsistently managed.

Financial services risk appearing higher than retail is less intuitive but reflects the concentration of high-value targets. Banks, insurance companies, and financial data infrastructure operators run significant quantities of connected devices for physical security, environmental monitoring, ATM networks, and branch operations β€” and they are high-value targets that attract sophisticated threat actors willing to invest in finding vulnerabilities.

The IoMT Dimension

The 2026 report covers not only IT/OT/IoT but also IoMT β€” the Internet of Medical Things. Healthcare organizations running connected medical devices face a version of the same problem as smart office and OT operators, with the added constraint that device availability is directly tied to patient safety.

Medical IoT devices appearing on the riskiest list this year include categories that are embedded in clinical workflows and cannot easily be taken offline for patching or replacement. The combination of life-safety constraints, long device lifecycles, and inadequate firmware update processes creates a risk environment that is structurally different from enterprise IT β€” and that is increasingly attracting ransomware operators who recognize that healthcare organizations face acute pressure to restore availability.

What the Attack Surface Expansion Means Practically

The finding that 75% of the 2026 riskiest device categories were not on the list two years ago has a direct operational implication: asset discovery and inventory processes built around the threat landscape of 2024 are already incomplete.

Organizations conducting connected device security programs based on prior-year risk models are likely underweighting entire device categories that attackers are actively targeting. The speed at which new categories enter the riskiest list suggests that point-in-time assessments β€” annual audits, periodic pen tests β€” are insufficient as the primary control mechanism.

The practical response involves several parallel tracks:

Continuous asset discovery. Passive network monitoring that identifies all connected devices by their traffic signatures, not just devices registered in asset management systems, is now a baseline requirement. Unmanaged and shadow IT devices consistently appear in connected environments at volumes that manual inventory processes miss.

Firmware currency tracking. For each device category now on the riskiest list, organizations should establish firmware baseline policies that define acceptable lag between vendor release and deployment. For high-risk categories like routers, that lag should be measured in weeks, not quarters.

Credential hygiene at scale. Default credentials on routers and building automation equipment remain one of the most exploited attack vectors in connected environments. Systematic credential rotation across network infrastructure β€” particularly at the branch and OT levels where oversight is weakest β€” is one of the highest-return security investments available.

Segmentation for new entrants. For device categories newly appearing on the riskiest list β€” PDUs, BACnet routers, RFID readers, serial-to-IP converters β€” the appropriate response is to evaluate whether they are currently segmented from critical assets and, where they are not, to treat segmentation as a near-term remediation priority rather than a future architecture consideration.

The Broader Context

The 2026 riskiest connected devices report is arriving at a moment when smart office and OT security are converging under sustained pressure from threat actors who have learned to treat connected infrastructure as an attack surface, not an obstacle.

The report’s finding that a third of energy and utilities infrastructure has already experienced cyber pre-positioning activity β€” attackers establishing footholds before conducting destructive operations β€” should be read alongside the device risk data. The device categories entering the riskiest list are not theoretical targets. They are the categories that pre-positioning activity is using to establish persistence.

Organizations that treat connected device security as a compliance checkbox β€” a periodic assessment against a static device list β€” are not operating at the pace the threat environment requires. The 2026 data makes that gap explicit.

The attack surface is not a fixed quantity. It is growing, rotating, and extending into device categories that security teams are not yet monitoring with adequate precision. Closing that gap requires treating connected device risk as a continuous operational discipline, not a project with a completion date.

This article is based on connected device risk research and threat intelligence reporting for early 2026. Organizations should validate specific device categories and risk ratings against current vendor advisories and their own network inventory.