The report breaks connected devices into four domains - Information Technology (IT), Internet of Things (IoT), Operational Technology (OT), and Internet of Medical Things (IoMT) - and ranks the top five riskiest in each. Of the 20 devices on the 2026 list, nine carried over from 2025. The other 11 are brand new entries.

Three device types have appeared consistently since 2022: routers, VoIP systems, and UPS devices. Routers bounced back to the #1 IT spot after dropping to fifth in 2025 - they held the top position in 2024 and 2022 as well. VoIP systems climbed from third to first in IoT.

The new entrants tell the real story. Serial-to-IP converters, time clocks, RFID readers, PDUs, I/O modules, BACnet routers, medication dispensing systems, medical image printers, DICOM gateways, and MRI scanners all appeared for the first time. That's a signal: attackers are probing device categories that most security teams don't watch closely.

Network infrastructure devices overtook endpoints as the riskiest IT device category starting in 2024, and that trend accelerated in 2026. Forescout's 2025 Threat Roundup found that network infrastructure exploitation grew from 3% in 2022 to 19% in 2025, making these devices the second most exploited category overall.

Weak or reused credentials on management interfaces make the problem worse. Brute-force attacks against router and firewall admin portals remain a common attack vector.

Serial-to-IP converters are a new addition worth watching. These devices bridge legacy serial interfaces (RS-232) to IP networks and show up across industrial control systems, building automation, and medical networks. They run with default credentials, rarely get patched, and can serve as pivot points between IT and OT environments. For Houston's manufacturing and oil and gas companies, these converters may be connecting production floor equipment to corporate networks right now without anyone flagging the risk.

VoIP systems took the #1 IoT risk spot in 2026. These devices are frequently internet-exposed, configured with unnecessary open ports, protected by weak credentials, and running outdated firmware. IP phones appeared among the most common device types with outdated firmware and among the most vulnerable overall. For the hundreds of Houston businesses running VoIP phone systems - including many of our own clients - this should be a priority check item.

Network Video Recorders (NVRs) dropped from first to fourth but remain a persistent target. A vulnerability in Hikvision NVRs was the third most exploited vulnerability in both 2024 and 2025. These devices get recruited into botnets at a high rate.

Three new IoT device types are worth flagging:

• Printers - both multifunction office devices and specialized receipt, label, and wristband printers - rank among the most common devices running outdated firmware and configured with default credentials. They're connected to sensitive environments like point-of-sale systems and privileged workstations. That label printer in a warehouse or the receipt printer at a wealth management front desk is a legitimate entry point.
• Time clocks track working hours using PINs, badges, or biometrics and connect directly to HR and payroll systems. They're deployed by system integrators and then forgotten by security teams.
• RFID readers handle access control and inventory tracking, connecting to ERP systems. Weak segmentation or direct internet exposure turns these into quiet entry points - particularly in guest-accessible areas like hospital lobbies and retail locations.

The common thread: these are "set and forget" devices. Someone installs them, connects them to the network, and walks away. Nobody updates the firmware. Nobody changes the default password. Nobody segments them from the rest of the network. A Houston law firm's unpatched office printer sits on the same subnet as their client file server, and that's the kind of gap attackers are counting on.

The OT category saw the most turnover, with three new device types: power distribution units (PDUs), I/O modules, and BACnet routers. PDUs and UPS devices are present in every data center and server room. Modern PDUs are network-connected with remote management capabilities. CISA has specifically warned about attackers targeting UPS devices with default credentials to shut off power or damage sensitive equipment through voltage manipulation. The same attack scenarios apply to PDUs.

BACnet routers connect building automation networks and rank as the third most attacked OT protocol. For Houston construction companies and property managers operating smart buildings, these devices sit at the intersection of building controls and corporate IT. Poor segmentation means a compromised BACnet router could provide access to HVAC, lighting, badge access, and fire safety systems.

The medical device list changed significantly. Medication dispensing systems - known to be vulnerable since researchers documented 1,418 vulnerabilities on just seven third-party components of a single popular device nearly a decade ago - took the top IoMT spot. They commonly run outdated firmware.

Imaging-related devices broke into three separate entries: MRI scanners, DICOM gateways, and medical image printers. These devices run on legacy hardware and software, require extensive network connectivity, and are frequent targets. Forescout documented real-world campaigns where attackers scanned for exposed medical imaging systems and exploited weaknesses in DICOM applications to infect patient devices. For healthcare organizations in the Texas Medical Center and across the Houston metro, medical device security isn't optional - it's a HIPAA compliance requirement and a patient safety issue.

Forescout analyzed the five industries with the largest number of connected devices and found a stark gap. Financial services carried the highest average device risk, followed by government and healthcare. The difference isn't marginal - financial services risk was more than three times that of retail, and government risk was more than double that of manufacturing.

For Houston's CPA firms and wealth management practices, the financial services data is concerning. The highest overall risk score combined with a Telnet exposure jump from 3% to 12% means these organizations have both the most to lose and some of the fastest-growing gaps. Telnet transmits everything - including credentials - in plain text. There is no legitimate reason for a financial services firm to have Telnet running on 12% of its devices in 2026.

Operating system fragmentation adds another layer. Special-purpose operating systems (embedded firmware, networking OS) now dominate in government (72%), retail (61%), and healthcare (56%). These systems are hard to track, rarely patched automatically, and frequently running outdated or unsupported firmware. The devices most commonly running outdated firmware include label printers (26%), switches (19%), IP phones (12%), medication dispensing systems (11%), and standard printers (7%).

Windows 10 reached end of support on October 14, 2025, and the impact shows clearly in Forescout's data. Legacy Windows percentages increased across all five industries analyzed. Retail leads at 39%, followed by healthcare at 35% and financial services at 29%.

The report notes that across all five industries, more than half of non-legacy Windows devices had previously been running Windows 10. Organizations can enroll in Microsoft's Extended Security Updates (ESU) program, but Forescout can't determine which devices are actually covered. That uncertainty is itself a risk - if you don't know which machines are getting security patches and which aren't, you have a visibility gap that attackers will find before you do.

We see this pattern at least twice a month with businesses in the Cypress and Woodlands area. A company with 50 workstations assumes IT handled the Windows 11 upgrade, but a quick scan shows 15-20 machines still on Windows 10 without ESU coverage. Those machines are running unpatched, and each one is an open door.

Forescout tracked four commonly exploited protocols across industries: SMB, RDP, SSH, and Telnet. The most alarming finding is Telnet. Its usage increased in financial services, healthcare, and manufacturing - despite being an unencrypted protocol that should have been retired years ago. Financial services saw Telnet exposure jump from 3% to 12%. Manufacturing went from 5% to 12%. Healthcare climbed from 6% to 8%.

SSH and Telnet are rising across most industries, which signals growing exposure of OT and IoT infrastructure management interfaces. RDP and SMB have stabilized or declined in most sectors - a sign that traditional IT protocol hygiene is improving even as embedded device management falls behind.

Default credentials on management interfaces remain widespread. The device types most commonly configured with default passwords include printers, print servers, PLCs, and serial-to-IP converters. These aren't edge cases - these are devices in active use on production networks.

On the vulnerability front, the distinction between total vulnerabilities and dangerous vulnerabilities matters. Computers have the most vulnerabilities by volume (59% of all detected vulnerabilities). But when you filter for only critical-severity vulnerabilities with extreme exploitability scores, routers jump to #1 at 34%, followed by wireless access points at 23% and computers at 19%.

Routers average 32 vulnerabilities per device. Wireless access points and healthcare workstations average 18 each. Computers average 14. The takeaway: your router has more than twice as many vulnerabilities per device as the average workstation, and the vulnerabilities it carries are more likely to be weaponized.

The Forescout report makes one thing clear: security that only covers laptops and servers misses the devices attackers are actually targeting. CinchOps provides managed IT and cybersecurity services that address the full range of connected devices in your environment - from routers and firewalls to VoIP phones, printers, and OT equipment.

• Network Device Audit and Hardening - We inventory every connected device on your network, identify outdated firmware, default credentials, and exposed management ports, then remediate the gaps before attackers find them.
• Network Segmentation - IoT devices, OT equipment, and guest Wi-Fi belong on isolated network segments. We design and implement segmentation that limits lateral movement if any single device is compromised.
• Firmware and Patch Management - Routers, switches, firewalls, VoIP phones, and printers all need regular firmware updates. We track versions across your entire device inventory and apply patches on a managed schedule.
• Windows 10 Migration Support - We handle the full transition from Windows 10 to Windows 11, including hardware assessment, data migration, and application compatibility testing. No machine gets left behind unpatched.
• Continuous Monitoring and Threat Detection - Our managed security services monitor network traffic for signs of compromise across all device types - not just endpoints. If an attacker brute-forces a router admin panel or pivots through a printer, we catch it.
• Credential Hygiene Enforcement - We audit and replace default credentials across all network-connected devices, enforce strong password policies on management interfaces, and implement multi-factor authentication where supported.

Businesses across Houston, Katy, Sugar Land, and Cypress trust CinchOps to keep their connected devices secure, patched, and properly segmented. The attack surface is bigger than it was last year - and it's only getting wider.