Key Findings
- 65% of devices across organizations are no longer traditional IT
- 11% are network equipment
- 24% are part of the extended IoT, such as IoT, OT and IoMT
- Financial services (54%), healthcare (45%) and oil, gas & mining (40%) have the highest percentages of non-IT devices
- Industries with more extended IoT security risks have higher device diversity (more device functions, vendors, and operating system flavors). In our dataset, there were:
- 380 device functions – an average of 164 per organization
- 5653 vendors – an average of 1629 per organization
- 3200 operating system versions – an average of 876 per organization
- Across industries, the top 25 device types make up 94% of all devices
- VoIP, printers and IP cameras are the most common IoT devices
- The remaining 6% include several unexpected findings, such as smart home devices, gaming consoles, 3D printers, set top boxes and action cameras.
- We zoom into IP cameras as a risk example:
- There were 125 IP camera vendors in our dataset
- 40% of cameras have at least one vulnerability
- Over 1,400 unique vulnerabilities affected those devices
- The top vendor alone – Axis – had 206 unique firmware versions in the dataset. 49% of Axis cameras were running firmware which reaches end-of-support status on December 31.
Mitigation Recommendations
- Ensure network visibility across every device type using a scalable solution
- Eliminate weak authentication
- Remove direct internet exposure
- Prioritize patching based on identified vulnerabilities
What do all the scenarios below have in common?
- Hackers turning a vape detector used in schools into an audio bug
- A Raspberry Pi enabling attackers to access a financial institution’s ATM network
- Rising volumes of cybercriminal attacks against building automation systems, network attached storage (NAS) and network edge devices
- The Akira ransomware gang exploiting IP cameras to bypass EDR protections
- Our R4IoT proof of concept predicting ransomware’s abuse of IP cameras three years ago and extending it to OT and medical devices
They all exploit a growing number of unmanaged devices in organizations’ networks and what’s worse: the lack of visibility into the security risks of those devices.
Security teams are often surprised when they realize the volume and diversity of devices they actually have in their networks. It goes well beyond what they think they have based on telemetry from security agents installed on managed devices or outdated manual asset inventories.
A recent blog post is a perfect example. It details how a CISO saw 323% more devices than expected on the network segment for the executive floor of his company. The over-600 “surprising” devices included: unmanaged badge readers, security cameras, smart thermostats, and a Bluetooth-enabled fish tank in the CEO’s office.
This story is not a one-off. In this post, we perform an ‘X-ray’ of modern corporate networks, examining the kind of IoT devices that are often connected, including some that are less common, but could be the next targets, and we show the industries where these risks are most prevalent.
The Most Common Devices
We analyzed 10 million devices in over 700 organizations active in October 2025 on Forescout’s Device Cloud. In this dataset, two-thirds of devices across all organizations are no longer traditional IT (workstations, laptops, servers, hypervisors, etc.). They are either network devices, such as routers and firewalls which are already a favorite target or ‘extended internet of things’ (xIoT) devices, including operational technology (OT), internet of things (IoT) and medical devices (IoMT).
Zooming further into the xIoT category, the figure below shows which device functions are the most common. Four of these categories were also among the riskiest devices in 2025: VoIP, IP camera, Point of Sale (PoS), and Uninterruptible Power Supply (UPS).
These devices are so common in the dataset because they are pervasive. Virtually every organization needs VoIP phones and video conferencing for communication; a host of office and specialized printers for office documents, labels, receipts, and other material; IP cameras and physical access control for security; UPS and out-of-band controllers in the data center and more.
Here, we can see devices that are popular, unmanaged, and have risks that are often ignored. See our blog about turning a smart TV into a spy device for a concrete example.
However, organizations across industries have specific needs for xIoT devices which bring other kinds of risks.
The Risks of Device Diversity – Industry Breakdown and a Look Into Retail
The figure below shows xIoT ‘penetration’ per industry – measured as the percentage of xIoT devices among all devices observed in that industry in our dataset.
Some of the industries with the highest penetration are expected. That includes healthcare (35% of xIoT) with lots of connected medical devices and utilities (22% xIoT) with lots of operational technology. Others are more surprising, such as financial services (35% xIoT – think of all the ATMs and surveillance systems) and retail (22% xIoT), which we explore below.
The high penetration of xIoT in those industries includes a high “device diversity,” which can be measured in three ways:
- The volume of specific device functions in that industry
- The volume of different vendors
- The volume of different operating systems
As we showed in previous research, high device diversity means that security operators must spend a considerable amount of time to identify, patch, and mitigate the risks of vulnerable devices. This is because:
- The tools able to identify IT devices might differ from those able to identify medical, OT, or IoT devices.
- So many unique device types introduce a variety of vendors and, so, patches are often available on different timelines and require unique procedures.
- In extreme cases, patches may not be available. Medical device patches, for example, require regulatory approval before they are issued. If a medical device is found vulnerable and no patch is yet approved, then other measures must be taken to mitigate the risk. This is where risk prioritization becomes critical.
In our dataset, there were:
- 380 device functions – an average of 164 per organization
- 5653 vendors – an average of 1629 per organization
- 3200 operating system versions – an average of 876 per organization
The industries with higher xIoT penetration – including healthcare and manufacturing – tend to have higher device diversity, including more device functions, vendors, and OS flavors.
Keep in mind, there is a long list of device functions that are not as common, but are critical to business operations in each industry.
The figure below exemplifies this ‘long tail’ for the retail industry which sits in the middle of the diversity scale, so it’s a good representative (and was the riskiest industry in our riskiest devices report this year).
The figure is in logarithmic scale, so the devices at the end, such as serial-to-IP converters, are three orders of magnitude less common than the ones at the beginning, such as computers.
Out of the total 140 device types in retail, the top 25 make up 99% of devices we observe. That includes all the device types in the most common list and others that are industry-specific, such as barcode scanners and loss prevention systems used to track products as they move across the supply chain and prevent shrinkage from theft, fraud, or operational errors. Lots of these devices are connected to backend systems, such as ERP and warehouse automation.
But the remaining 1% of device types is what really puts the ‘x’ in xIoT. The table below shows some device types which were surprising for us to find, often because we think of them as consumer devices, but they are present in enterprises too. They are in the last 1% in retail, but they also appear in other industries, as shown in the description columns of the table.
| Device type | Total number across industries | Comments |
|---|---|---|
| Smart home devices | 8,000+ | Used across most industries and includes smart home controllers, switches, plugs, locks, vacuums, aquarium controllers and other devices. |
| Gaming consoles | 3,000+ | Seen in education, retail, healthcare and others. |
| Two-way radios and intercoms | 700+ | Seen in healthcare, retail, manufacturing and other industrial sectors for staff communication and coordination. |
| 3D printers | 200+ | Seen in manufacturing, healthcare, professional/business services, education and retail. |
| Cash drawers | 150+ | Common in financial services. |
| Set top box | 150+ | Common in healthcare facilities in waiting rooms and patient rooms. |
| Action cameras | 40+ | Some examples in several industries. |
This presence of a long tail of ‘odd’ devices is not exclusive to retail. Across industries, the top 25 device types make up 94% of all devices, but the remaining 6% are a ‘mixed bag’ of other connected equipment. Healthcare has pneumatic tube systems (over 2,000 in our dataset) to transport items, such as laboratory samples and medications between different departments. Government has postage meters. Utilities have intelligent electronic devices, and so on.
Below we show how even when we focus on one single popular device type – IP cameras – there is huge diversity of vendors and OS versions in modern networks which bring along its own risks.
IP Camera Deep Dive – A Concrete Risk Example
IP cameras are the third most popular IoT device type overall, after VoIP phones and printers. They are the most popular IoT type in retail. For the charts below, we used a subset of 25,000 IP cameras seen on customer networks.
We saw a total of 125 different IP camera vendors in the dataset, sorted by popularity in the figure below. Axis has been the most popular vendor on the networks we monitor for a long time. We used an Axis camera in the original R4IoT demonstration. There are other well-known names there, such as Hikvision which is the brand most often exposed with over 2.5 million cameras online.
These devices are risky for several reasons:
- 40% of the IP cameras in the dataset have at least one vulnerability.
- We observed over 1,400 unique vulnerabilities affecting those devices, including vulnerabilities specific to a device and supply chain issues, such as OpenSSL CVEs.
- 3% of the cameras in this dataset were exposed to the internet. These are cameras used in real networks of real businesses, not home cameras.
- Examining the top vendor alone – Axis – we saw 206 unique firmware versions in the dataset. 49% of Axis cameras were running firmware 9.x, which reaches end-of-support status on December 31.
This diversity of firmware versions and several devices that have reached or will soon reach end-of-support (EoS) or end-of-life (EoL) status is not exclusive to Axis and not exclusive to IP cameras. Our previous research has shown that:
- 63% of internet-exposed DrayTek routers were EoL or EoS.
- Only 10% of internet-exposed Sierra Wireless routers were patched against 5-year old vulnerabilities—and 90% of routers exposing a critical management interface were EoS.
Why Does It All Matter? Risk and Mitigation
xIoT devices have become the entry point or a pivot point for several attacks on real organizations for several reasons:
- Weak configurations. Internet exposure and weak configurations remain top risk factors for xIoT devices. We have reported multiple botnets – such as Aisuru, Kaiten, Gafgyt and CloudBot – using default credentials for lesser-known, internet-exposed OT and IoMT
- Lack of network segmentation. The Akira ransomware example at the beginning of this report and others exemplify how these devices often share similar network segments as other critical business assets.
- Known vulnerabilities. These devices often have exploited vulnerabilities. Out of the 460 xIoT vulnerabilities we currently track as exploited in the Vedere Labs Known Exploited Vulnerabilities (VL-KEV) catalog, only 174 (38%) are in the CISA catalog.
- New vulnerabilities. Time and again, malware is reported exploiting zero-days in relatively unknown devices, such as Corona exploiting AVTECH IP cameras and more recently, RondoDox packing 18 zero-days affecting IP cameras, routers, and DVRs.
Beyond the traditionally exploited IoT devices, many others can become future targets. Organizations need to ensure they have visibility into and risk assessment for these assets, so they can prioritize patching and risk mitigation.
That is why Forescout is launching eyeSentry today, a cloud-native, continuous threat exposure management solution that helps organizations move from reactive to proactive security with unified visibility across IT, OT, IoT, and IoMT devices.
eyeSentry leverages Forescout’s leading asset intelligence to deliver the deepest, most accurate visibility across all devices for organizations who need something easy to deploy and can manage from the cloud.
The solution combines real-time, active, and passive asset discovery techniques, providing deep insight into what devices are doing, how they behave, and how they connect, allowing security teams to prioritize the most critical risks to their organization.
This brings clarity, prioritization, and resilience to organizations, helping them act smarter, not just faster.