Forescout has released its fifth annual Riskiest Connected Devices of 2025 report, highlighting a growing trend of vulnerabilities across the digital ecosystem. The report analyzes the five riskiest device types globally across IT, Internet of Things (IoT), Operational Technology (OT), and the Internet of Medical Things (IoMT), as well as across key industry verticals.
Among the most concerning findings, IoMT devices continue to grow more vulnerable, raising significant alarms around the security of healthcare networks. Routers now represent over 50% of the most vulnerable devices, emphasizing the urgent need to strengthen network infrastructure defenses. The report also reveals a 15 percent year-over-year increase in average device risk, with routers accounting for the majority of devices carrying the most critical vulnerabilities. Industry-wise, retail emerged as the sector with the riskiest devices on average, followed by financial services, government, healthcare, and manufacturing.
To combat these threats, Forescout introduced a new cloud-enabled platform called eyeScope, which provides a consolidated view of the entire device landscape, enabling organizations to better monitor and manage cyber risks.
“We’re handing attackers the keys to critical operations. Cybercriminals are ditching traditional endpoints and targeting the devices that keep our hospitals, factories, governments, and businesses running,” Barry Mainz, Forescout CEO, said in a media statement. “This year alone, four new types of medical device topped the risk charts. If we don’t secure every IT, IoT, OT, and IoMT device across our networks, the consequences will be devastating.”
“Today’s threat environment spans IT, IoT, OT, and IoMT—yet too many security solutions operate in silos, leaving dangerous blind spots,” said Daniel dos Santos, head of research at Forescout Research – Vedere Labs. “Beyond regular risk assessments, enterprises need automated controls that cover all assets. Solutions that focus on specific devices fail to deliver the full visibility and security controls needed for these highly complex environments.”
Forescout reported this year that universal gateways and historians, servers dedicated to storing operational process data, appeared for the first time on the list, alongside building management systems (BMS), physical access control systems, and uninterruptible power supply devices (UPS).
When it comes to BMSs and physical access control systems, these are critical for facilities management across many industries. There have been multiple instances of smart buildings exploited by threat actors to disable controllers and render them unusable, recruit vulnerable physical access control devices into botnets, or compromise management workstations for initial access into enterprise networks. These devices combine the insecure-by-design nature of OT with IoT’s internet connectivity, making them highly susceptible to online exposure – even in critical facilities.
UPS play a crucial role in power monitoring and data center power management. CISA has warned about threat actors targeting UPSs with default credentials, enabling attackers to disrupt critical infrastructure by shutting off power in a critical location or tamper with voltage settings, potentially damaging sensitive equipment.
Universal gateways are risky because they interconnect different systems, sometimes including both Ethernet and serial communications, thus potentially allowing for lateral movement within OT networks or for threats on the Ethernet network to affect serially connected devices. They facilitate communication between systems using different protocols (e.g., Modbus and EtherNet/IP) and are commonly at Purdue levels 1 and 2. Their risk stems from interconnecting disparate systems, sometimes bridging Ethernet and serial communications. This introduces the potential for lateral movement within OT networks and enables threats from the Ethernet network to impact serially connected devices.
Historians are deployed alongside process control systems based on programmable logic controllers (PLCs) or distributed control systems (DCS), often at Purdue Level 3. These systems commonly share data with enterprise devices at higher levels, which means they sit at the dangerous interconnection between IT and OT networks. These servers store operational process data, typically deployed at Purdue level 3. Because they exchange data with enterprise IT systems, they sit at the high-risk junction between IT and OT networks.
According to SANS, 10 percent of OT incidents in 2024 involved data historians as an initial access vector. That same report also identified remote storage and processing of historian data as the second and fourth most common OT cloud adoption use cases, potentially expanding OT networks’ attack surface.
Forescout added four new IoMT device types were added this year – imaging devices, lab equipment, healthcare workstations, and infusion pump controllers.
Imaging devices such as CT scanners, PET-CT scanners, and X-ray machines generate medical images and are typically connected to PACS (Picture Archiving and Communication Systems) for storage and retrieval. These devices often run legacy, vulnerable IT operating systems and require extensive network connectivity to enable the sharing of imaging files. They rely on the DICOM (Digital Imaging and Communications in Medicine) standard, which defines both the image formats and the communication protocols used for transmitting medical images.
A recent report highlighted real-world attacks targeting patient data through medical honeypots, as well as threat campaigns exploiting DICOM applications to infect both patients and healthcare institutions.
Lab equipment, such as blood and urine analyzers, plays a vital role in diagnostic laboratories by processing biological samples and generating critical health data. These devices typically run specialized operating systems and are integrated with Laboratory Information Systems (LIS). A significant concern is that the data exchanged between lab equipment and LIS is often unencrypted, making it susceptible to cyber threats such as data exfiltration and tampering.
Healthcare workstations are used to interface with various medical systems and equipment, including DICOM workstations, treatment planning systems, and diagnostic terminals. They handle clinical data using standardized formats such as HL7 (Health Level 7) to integrate with electronic health records (EHRs) and billing systems. These devices provide access to highly sensitive medical information—data that is extremely valuable on the dark web and frequently targeted by ransomware gangs.
Infusion pump controllers are critical components in hospital environments, managing modular systems that regulate medication dosage and infusion duration. As the central control units—or ‘brains’—of these systems, they are widely used and essential to patient care. A successful compromise could allow attackers to alter drug delivery settings, posing serious risks to patient safety.
Forescout reported that the riskiest IoT devices include mostly those that have been known to be problematic for a long time, such as network video recorders (NVRs), VoIP, IP cameras, and network attached storage (NAS) devices. This year, point of sale (PoS) systems, such as those used in retail stores, made the list. PoS have been targeted by cybercriminals with generic malware such as keyloggers and infostealers to capture sensitive information, as well as dedicated RAM scrapers that search the device’s memory for credit card numbers and other data before encryption.
The report identified that the 2025 list of IT devices affected include four newly identified high-risk IT device types – Application Delivery Controllers (ADCs), Intelligent Platform Management Interfaces (IPMI), Firewalls, and Domain Controllers. IPMI devices are particularly vulnerable due to persistent critical flaws, while domain controllers represent some of the most sensitive targets within internal networks.
In 2023, endpoints posed a greater risk than network infrastructure. However, this trend reversed in 2024—and continues in 2025—with network infrastructure now representing the greater threat. These devices are often exposed at the network perimeter and feature dangerously open administrative ports.
Despite the addition of new high-risk IT devices, routers still account for over 50% of the most critically vulnerable systems, maintaining their status as top targets for attackers. Computers and wireless access points also remain among the most frequently vulnerable device types.
In 2025, the retail sector holds the highest average device risk, followed by financial services, government, and healthcare. Manufacturing ranks fifth. Notably, the gap in risk scores between industries has narrowed, indicating a broader distribution of cybersecurity challenges across sectors. The overall average device risk score rose to 8.98—up 15 percent from 7.73 in 2024—underscoring an escalating threat landscape affecting all industries.
“For this analysis, we selected the 11 countries where the average device risk was 9.0 or higher. The top three countries with the riskiest devices are Spain, China and the UK,” Forescout reported. “As with industries, the average risk per country has also increased significantly this year. In 2024, the average risk for the top 10 countries was 6.53, whereas in 2025 it has risen to 9.1 – a 33% increase, highlighting a sharp escalation in cybersecurity risk worldwide.”
Forescout reported that traditional IT operating systems like Windows, Linux, macOS, and UNIX remain dominant across sectors, even among specialized IoT, OT, and IoMT devices. Financial services lead with 93 percent of devices running IT OSes, while healthcare, government, and manufacturing show higher adoption of special-purpose operating systems, including embedded firmware and network OSes.
The use of embedded OSes now surpasses mobile OSes across all industries, continuing a trend seen since 2024. Government saw the most significant growth in embedded OS adoption, rising from 8.6 percent in 2024 to 14 percent in 2025, while financial services and retail saw slight declines.
Analysis of the most frequently vulnerable device types shows that five of the top 10 also rank among the riskiest overall, underscoring the strong link between vulnerability prevalence and risk. While computers have the highest number of total vulnerabilities, routers dominate when focusing solely on the most dangerous ones—those rated critical in severity and highly exploitable. Routers now account for half of such vulnerabilities in organizational networks.
Notably, several IoMT devices, including pump controllers, medication dispensing systems, and healthcare workstations, also appear among the most critically vulnerable, highlighting the growing cybersecurity risks in healthcare. The distinction between total and highly exploitable vulnerabilities reinforces why network infrastructure and medical devices are key targets for attackers in 2025.
In conclusion, Forescout recognized that the attack surface in modern organizations now spans IT, IoT and OT, with IoMT adding another layer of complexity in healthcare. Focusing security efforts on a single category is no longer sufficient, as attackers exploit devices across different domains to execute attacks. “We previously demonstrated this with R4IoT, an attack that begins with an IP camera (IoT), moves to a workstation (IT) and disables PLCs (OT) – illustrating the interconnected nature of today’s cyber threats.”
The report has analyzed the current risk levels across this expanded attack surface, identifying the most vulnerable devices that demand immediate attention from security teams. “To effectively defend this evolving attack surface, organizations must adopt modern security strategies that address risk across all device categories. As threat actors continue shifting their focus away from traditional endpoints, they increasingly target less-protected devices that offer easier initial access.
It added that a comprehensive risk and exposure management strategy must identify, prioritize and mitigate risk across IT, OT, IoT and IoMT – rather than treating them in silos. Avoid solutions that only address specific devices, since these fail to provide a complete picture of risk. For example, OT or IoMT-only solutions cannot effectively assess IT risk, just as IT- focused tools lack visibility into specialized devices.
Beyond risk assessment, mitigation should leverage automated controls that extend across the entire enterprise – not just isolated environments like IT, OT, or specific IoT networks. Moreover, these controls should not depend solely on security agents, ensuring that organizations maintain continuous risk reduction across all interconnected systems.
