The complex array of third-party software, open-source components, applications, containers and device firmware to power networking equipment, leaving hardware open to vulnerabilities that remain unpatched.

These were among the findings of a NetRise report analyzing risks in the software of enterprise networking equipment, including routers, switches, firewalls, VPN gateways and wireless access points.

Each device harbored an average of 1,120 known vulnerabilities, with over one-third being more than five years old.

The report found vulnerability risks are on average 200 times greater for the five networking equipment asset classes than what traditional network-based vulnerability scanners would lead one to believe.

Critical or high-severity vulnerabilities made up 42% of the findings, equating to approximately 473 severe vulnerabilities per device.

Further analysis revealed about 20 weaponized vulnerabilities per device, with seven being network accessible.

Analyzing 100 devices across five categories NetRise researchers generated detailed Software Bill of Materials (SBOM) for each, uncovering an average of 1,267 software components per device.

This analysis identified all software components, including third-party libraries and dependencies, providing a view of the software stack.

The report highlighted significant discrepancies between traditional network-based vulnerability scans and SBOM-based analysis.

Outdated software components often contain vulnerabilities that have been discovered and documented over time that are well-understood by threat actors, who can exploit them using readily available tools and techniques.

As a result, devices running outdated software are prime targets for attacks.

Additionally, older software components may be end-of-life and no longer receive security updates or patches from the vendor, leaving the system exposed to exploitation and creating persistent security gaps in the network.

Minimizing System Compromise

Michael Skelton, vice president of operations and hacker success at Bugcrowd, cautioned the primary risks associated with vulnerabilities in network equipment include the high likelihood of further system compromise and the potential for malicious actors to control or disable critical network functions.

He explained network equipment often has high levels of access to perform its function, allowing attackers to further pivot into other systems and network areas, amplifying the business impact of a breach.

“These vulnerabilities are particularly critical compared to typical web vulnerabilities, as they can lead to widespread damage and exploitation across your business,” he said.

Tom Pace, CEO of NetRise, said supply chain security is not a one-time effort, with continuous monitoring of software components essential to stay ahead of emerging threats.

“Companies should establish processes for ongoing vulnerability assessment and remediation,” he said.

By focusing on these steps, organizations can significantly enhance their supply chain security processes, mitigate risks more effectively and protect their critical assets.

“The key takeaway is clear: You cannot secure what you do not see,” Pace said. “Comprehensive software visibility is the starting point for any robust security strategy.”

Patch, Update Software Regularly

To mitigate the risks associated with outdated software components, organizations should regularly update and patch software, conduct comprehensive software audits during procurement to assess the state of different products and their software, and prioritize updates and replacements based on these audits.

“Maintaining SBOMs to track all software components and their versions is crucial,” Pace said.

Additionally, using automated security tools to analyze both old and new software components can help identify vulnerabilities in legacy and new systems, providing actionable insights for remediation.

Mayuresh Dani, manager of security research, at Qualys Threat Research Unit, added in recent times, government mandates are forcing vendors to create and share SBOMs with their customers.

“Organizations should request for SBOMs from their vendors,” he said. “This is the easiest approach.”

He said while there are other approaches where the firmware is dumped and actively probed for, this may lead to a breach of agreements.

“Organizations should maintain and audit the existence of exposed ports by their network devices,” Dani added. “These should then be mapped to the installed software based on the vendor-provided SBOM.”