Most organisations spend serious time and budget protecting devices, applications, and cloud systems.
They monitor endpoints, implement threat detection, and audit user access. However, in too many cases, the router, the device that sits between the user and the internet, receives barely a second thought.
That’s a problem.
Not because routers are new or exotic. Quite the opposite. It’s their familiarity and low profile that makes them dangerous. Most are unmanaged, unmonitored, and critically unpatched.
And attackers know it.
The Vulnerabilities Are Well Known. That’s the Problem.
From 2021 to 2025, researchers and security agencies have documented hundreds of critical router vulnerabilities. These affect brands like Netgear, Cisco, D-Link, TP-Link, Tenda, and Ubiquiti, devices widely used in homes, small offices, and even branch locations of larger organisations.
Here’s what makes this especially concerning:
- Many of the most severe vulnerabilities are not new.
- Most of the affected devices are still in use.
- A large number will never be patched.
A 2021 study found that the average SOHO router’s firmware was 5 to 10 years behind the latest Linux kernel used to build it, leading to more than 1,400 inherited vulnerabilities in each device’s software stack.
Some routers still in use today have root accounts with no password or embedded credentials that can’t be changed.
Outdated, Unguarded and Targeted
In isolation, that would be bad enough. But these devices are also:
- Rarely monitored by IT security teams
- Physically unmanaged (often installed by the user or a third party)
- Left untouched for years after deployment
This creates a perfect storm: a high number of known, exploitable vulnerabilities in devices that no one is watching.
For an attacker, that’s gold.
It’s not just about getting into the router. Once compromised, attackers use these devices to:
- Launch botnet-based attacks (like Mirai or ViciousTrap)
- Act as covert proxy infrastructure
- Perform data exfiltration or traffic interception
- Jump laterally to internal devices
In short, routers often serve as a quiet launchpad into the rest of your environment.
These Attacks Are Real
In 2025, the FBI issued a public warning that end-of-life routers are being actively used as nodes in botnets and as control points.
The APT28 threat group, linked to Russian state-sponsored cyber activity, built a global proxy network using tens of thousands of compromised Ubiquiti EdgeRouters.
The ViciousTrap campaign has infected over 5,000 small office/home office (SOHO) routers with malware designed to redirect and intercept traffic via honeypots.
Even high-profile vendors like Cisco and D-Link have had routers targeted using known CVEs from years ago, some of which have no available patch due to the devices being past the end of their support life.
These aren’t theoretical risks. They are repeatable attack patterns observed across multiple campaigns, utilising weaknesses that are well-documented and widely unaddressed.
Why Routers Get Overlooked
In most security audits, the focus lands on endpoints, servers, SaaS platforms, and identity systems. Routers rarely make the list. Why? Because they sit outside central IT control, are often installed by individuals or third parties, and seldom generate alerts or telemetry that feeds into SOC tools.
The assumption is that if the device works, it’s fine. But this “if it ain’t broke, don’t fix it” approach leaves a blind spot in otherwise mature cyber defences.
The Scale of the Problem
While it’s easy to think of this as a niche risk, the scale is anything but small. Across the UK, US, and EU alone, there are estimated to be over 400 million off-the-shelf routers currently in use, many of which are deployed in homes where people work, shared offices, or small branch sites without any central management or visibility.
These aren’t enterprise-grade devices with strong vendor support and real-time updates.
They’re often consumer-grade hardware, installed and forgotten. When even a small percentage of these are vulnerable (or already compromised), the opportunity for attackers becomes vast.
Guidance Is Catching Up
Cybersecurity agencies are starting to recognise this. Recent joint guidance from the NSA, GCHQ and the Five Eyes alliance explicitly identifies network edge devices, including routers and firewalls, as a growing area of concern.
NSA Guidance on Mitigating Edge Device Risk
NCSC Advice on Network Edge Security
However, organisational awareness often lags behind the guidance. And in many cases, the people responsible for security simply don’t have visibility into what edge devices their users are relying on.
What You Can Do
Audit: Start by identifying what network hardware your teams connect through — especially in remote and satellite setups.
Replace: Where possible, use centrally managed, security-focused routers with regular patching.
Separate: Keep work and personal traffic separate to reduce exposure from other devices on the same network.
Monitor: If edge devices are part of your critical infrastructure, treat them that way.
Final Thoughts
Cyber attackers aren’t looking for a fight. They’re looking for a foothold. And right now, too many network edge devices are handing them one.
With the continuing practice of remote work, hybrid models, and decentralised IT environments, the router has quietly become one of the most valuable assets an attacker can compromise.
It’s time to stop treating it like a throwaway device.
