Old Routers Are the New Forgotten Security Gap

A router is easy to forget. Once the internet works, most people stop thinking about the small box sitting on a shelf, under a desk, or inside a network rack.

That is exactly why attackers care about it. Old routers, firewalls, and VPN gateways have become one of the most overlooked cybersecurity risks. Recent guidance from CISA, the FBI, and the UK’s NCSC warns that nation-state actors exploit end-of-support edge devices such as routers, firewalls, load balancers, and VPN gateways to gain access, maintain presence, and compromise data. These are not ordinary gadgets anymore. They are entry points into homes, businesses, and critical systems.

This article explains why unsupported routers are dangerous, how attackers use them, and what practical steps individuals and organizations can take to close this forgotten security gap.

What It Is

An old router becomes a security problem when it reaches end of life or end of support. This means the manufacturer no longer provides firmware updates, security patches, or active maintenance for the device. That matters because vulnerabilities do not stop appearing just because support ends. Attackers continue to scan the internet for exposed devices, known weaknesses, default settings, and remote administration portals.

In plain terms, an unsupported router is like a door lock that the manufacturer no longer repairs, even after criminals learn how to pick it.

This risk is not limited to home routers. It also affects enterprise firewalls, VPN appliances, wireless access points, load balancers, and other edge devices. Edge devices sit at the boundary between a private network and the public internet. Because they control traffic moving in and out, they are valuable targets.

The FBI explains that when a device is end of life, the manufacturer is no longer actively supporting it or releasing security patches. It also warned that routers dated 2010 or earlier are likely no longer receiving manufacturer updates and may be compromised through known vulnerabilities.

In simple terms, an old router can become cybersecurity debt. It still works, but it may no longer be safe.

How It Works

Attacks against old routers usually follow a simple pattern.

• Discovery: Attackers scan the internet for exposed routers, firewalls, or VPN gateways. They look for open ports, remote administration panels, outdated firmware, and known device models.
• Exploitation: Once they identify a vulnerable device, they may exploit a known flaw, weak configuration, or exposed remote management service. In MITRE ATT&CK terms, this aligns with Exploit Public-Facing Application (T1190), where attackers exploit an internet-facing system to gain access. MITRE notes that adversaries may specifically target edge network infrastructure because these devices often lack strong host-based defenses.
• Malware or Proxy Installation: After compromise, the router may be used as a hidden relay. The FBI reported that end-of-life routers were breached using variants of TheMoon malware, which can install proxies and allow cyber actors to conduct crimes anonymously through victim routers.
• Command and Control: The compromised router may contact a command-and-control server for instructions. The FBI notes that TheMoon malware scans for open ports, sends commands to vulnerable scripts, contacts C2 infrastructure, and may receive instructions to scan for other vulnerable routers.

From a defender’s view, this is difficult because routers often do not run EDR. Many are poorly logged. Some sit outside normal SIEM visibility.

Real-World Impact

• For individuals, the risk is quiet. A compromised home router may not immediately steal files from your laptop, but it can redirect traffic, expose connected devices, or turn your internet connection into part of a criminal proxy network. The FBI notes signs may include overheating, connectivity issues, or router settings the administrator does not recognize.
• For businesses, the impact is more serious. A vulnerable VPN gateway or firewall can become the first step into the corporate environment. Once inside, attackers may move laterally, steal credentials, access sensitive systems, or deploy ransomware.
• For systems and infrastructure, the concern is visibility. Edge devices often sit outside normal endpoint monitoring. They may not run EDR agents. Their logs may not be collected into the SIEM. That means an attacker can operate at the perimeter while defenders focus only on laptops and servers.

Breach data supports this concern. Verizon’s 2025 DBIR reported that vulnerability exploitation as an initial access vector increased by 34%, with significant focus on zero-day exploits targeting perimeter devices and VPNs.

Common Mistakes or Misconceptions

• Assuming “if it still works, it is still safe”: Functionality is not security. A router can pass traffic perfectly while running outdated firmware with known vulnerabilities.
• Treating the router as a one-time purchase: Network hardware has a lifecycle. It needs patching, monitoring, and eventual replacement.
• Leaving remote administration enabled: This exposes management access to the internet and gives attackers another path in.
• Thinking antivirus solves the problem: Traditional antivirus protects endpoints. It does not secure an unsupported router or firewall sitting at the network boundary.

Practical Defensive Measures

• For individuals, start simple. Check the router model and confirm whether the manufacturer still supports it. If it is end of life, replace it. Apply firmware updates. Disable remote administration unless there is a clear need. Change default admin passwords and use strong, unique credentials.
• For organizations, create a complete inventory of edge devices. This should include routers, firewalls, VPN gateways, wireless controllers, load balancers, and exposed management interfaces. CISA, the FBI, and NCSC recommend maintaining an inventory of all edge devices and their support timelines, actively scanning for outdated devices, and replacing unsupported equipment.
• Security teams should also send firewall, VPN, and router logs into the SIEM. Monitor for unusual admin logins, unexpected configuration changes, new outbound connections, and traffic to unfamiliar infrastructure.

Where possible, restrict management access to trusted IP addresses or a secure management network. Use MFA for VPN and administrative access. Segment internal networks so that compromise of one edge device does not expose everything behind it.

Finally, treat replacement as risk reduction, not just an IT refresh. Unsupported infrastructure is cybersecurity debt. The longer it stays in place, the more valuable it becomes to attackers.

Conclusion

Old routers are no longer just slow hardware. They are forgotten security gaps sitting at the edge of networks. Attackers understand this. They know that unsupported devices often remain online for years, quietly exposed and poorly monitored. That makes them useful for initial access, proxy abuse, persistence, and data theft. Cybersecurity is not only about protecting new systems. It is also about retiring old ones before attackers turn them into entry points. The router you stopped thinking about may be the first device an attacker looks for.