When I started researching network edge devices with evidence of exploitation in VulnCheck KEV, I wanted to better understand what was actually being targeted. Specifically, I was interested in the types of devices being exploited, whether they were still supported, and how attackers are using them.
That led me to dig deeper into questions like consumer versus enterprise devices, where vendors are headquartered, and which device types are targeted by botnets versus ransomware. What started as a quick blog post quickly grew into something much larger. The research expanded beyond what typically fits in a blog, so we decided to turn it into a full report as part of our 2026 State of Exploitation research.
The timing of this report also aligns with CISA’s recently released Binding Operational Directive, BOD 26-02: Mitigating Risk From End of Support Edge Devices. That raised an important question for me. Can broader exploitation evidence of end of life devices help defenders gain better visibility into the risks in their own environments?
- 42.5 percent of vulnerabilities exploited in 2025 affected devices that are end of life or likely end of life, with additional vulnerabilities impacting products that have already reached end of sale
- Consumer networking equipment is a major exploitation target. Consumer routers and globally distributed networking products account for 56 percent of exploited edge device vulnerabilities
- Botnets disproportionately target unsupported devices. 65 percent of vulnerabilities exploited by botnets affect end of life or likely end of life products
- Many exploited edge device vulnerabilities are not represented in CISA KEV. Only 23.7 percent of the vulnerabilities identified by VulnCheck appear in CISA KEV
- Active exploitation frequently precedes CVE assignment. VulnCheck issued CVEs for 18 vulnerabilities after detecting exploitation activity through honeypots and canary systems
I hope you enjoy this exploration into network edge device exploitation.
Cheers,
Patrick Garrity
This research is part of our broader State of Exploitation 2026 series, where we analyze real world exploitation trends using VulnCheck KEV and additional VulnCheck threat intelligence.
VulnCheck is helping organizations not just to solve the vulnerability prioritization challenge – we’re working to help equip any product manager, CSIRT/PSIRT or SecOps team and Threat Hunting team to get faster and more accurate with infinite efficiency using VulnCheck solutions.
We knew that we needed better data, faster across the board, in our industry. So that’s what we deliver to the market. We’re going to continue to deliver key insights on vulnerability management, exploitation and major trends we can extrapolate from our dataset to continuously support practitioners.
Are you interested in learning more? If so, VulnCheck’s Exploit & Vulnerability Intelligence has broad threat actor coverage. Register and demo our data today.
