A new study released today by cybersecurity firm NetRise Inc. warns that vulnerability risks associated with network equipment are far greater than previously understood.

NetRise’s third-quarter supply chain visibility and risk study for network equipment, based on the analysis of more than 100 different networking equipment devices, found that traditional network-based vulnerability scanners significantly underreport the true extent of software vulnerabilities in critical networking devices such as routers, switches, firewalls, virtual private network gateways and wireless access points.

The headline finding from the study is that networking equipment contains an average of 1,267 software components, with each device harboring, on average, a whopping 1,120 known vulnerabilities. NetRise says the figure is 200 times greater than what is typically detected by conventional scanning methods.

One-third of the vulnerabilities uncovered were found to be more than five years old, indicating that many network devices are running outdated and insecure software components. With vulnerabilities that long, unsurprisingly, the study notes that prolonged exposure increases the risk of exploitation by cyberattackers.

Of the average 1,120 vulnerabilities found in each device, 42% were classified as critical or high severity according to Common Vulnerability Scoring System scores. The study does note that only 20 on average were found to be weaponized vulnerabilities, with an average of seven network-accessible, making them a more manageable and targeted risk for security teams to address.

The study also highlights the importance of software bills of materials, or SBOMs, as essential for achieving comprehensive visibility into software components and dependencies. However, despite their importance, only 35% of organizations were found to currently produce SBOMs, creating a significant gap in supply chain security processes.

Though the NetRise study does highlight the many missed vulnerabilities on network devices, it also makes a number of recommendations.

Organizations are advised to adopt a detailed SBOM analysis to achieve complete visibility into their software assets, including generating comprehensive SBOMs for all software components, third-party libraries and dependencies to identify vulnerabilities that traditional network-based scanners often miss. Prioritizing the creation and maintenance of SBOMs is noted as being crucial for understanding and managing software risks effectively.

Organizations are also advised to focus on remediating weaponized and network-accessible vulnerabilities instead of solely relying on CVSS severity scores. By addressing weaponized vulnerabilities, the study says, organizations can more efficiently tackle the biggest threats.

Image: SiliconANGLE/Ideogram