Default settings in network gear often conceal serious risks that attackers may quickly exploit if left in place.
Default configurations in network devices are designed for quick deployment and broad compatibility. Unfortunately, many of these defaults leave systems exposed or inefficient if left unchanged. Attackers and automated scans specifically look for these oversights, making defaults one of the most common weak points in enterprise environments.
Organizations that standardize configuration hardening reduce the risk of compromise, downtime, and performance bottlenecks. The following defaults should be reviewed immediately across routers, switches, firewalls, and wireless access points.
1. Administrator usernames and passwords
Factory-set credentials are among the most commonly exploited default settings in network gear. Automated attacks constantly test for them. Always change both the username and password where possible. If usernames cannot be changed, disable default accounts and create new privileged accounts with stronger credentials.
Example 1: The 2016 Mirai botnet scanned the internet for IoT devices using default logins like admin/admin or root/12345. It enslaved hundreds of thousands of cameras and routers, launching some of the largest DDoS attacks recorded at the time.
Example 2: In 2019, attackers exploited routers from multiple vendors that still used the default password cisco for administrative access, compromising devices in enterprise networks until patches and resets were applied.
2. Remote management access
Many devices ship with Telnet, HTTP, or Web UI over HTTP enabled by default. These protocols expose credentials in cleartext. Restrict access to trusted IPs, keep management interfaces on internal networks or VPNs only, and enable SSH or HTTPS instead.
Example 1: In 2018, VPNFilter malware targeted routers with remote management enabled over HTTP/Telnet, stealing credentials and modifying traffic. Attackers could exfiltrate data or install further malware modules.
Example 2: In 2020, attackers exploited exposed Citrix and DrayTek router management interfaces to plant backdoors and pivot into enterprise networks, leading to ransomware deployments.
3. SNMP community strings
Default SNMP public and private strings are widely known. Attackers can read or even modify device configurations if they are not changed. Disable SNMP if it is unused, or migrate to SNMPv3 with authentication and encryption instead of the insecure SNMPv1/v2c.
Example 1: Attackers have used the default public/private strings to pull router configs that contained VPN pre-shared keys and admin passwords in cleartext. This has been observed in penetration tests and real breaches, often leading to full takeover of edge routers.
Example 2: In 2017, US-CERT warned that default SNMP strings were actively exploited to dump configurations from Cisco and Juniper devices, enabling attackers to map networks and prepare privilege escalation.
4. Unnecessary services and features
Routers, switches, and firewalls often ship with unused services or features active, such as CDP or LLDP on user-facing ports. These broaden the attack surface. Audit and disable all unnecessary components, even if modern gear ships with more conservative defaults.
Example 1: In 2015, attackers abused Cisco Smart Install (SMI), a feature left enabled by default, to remotely execute code and change configs on thousands of exposed routers and switches worldwide.
Example 2: In 2017, misconfigured SMBv1 services on Windows servers left enabled by default were exploited by WannaCry ransomware, spreading rapidly across global networks.
5. VLAN 1 for management traffic
Using VLAN 1 for management or production traffic creates predictable targets and simplifies VLAN hopping attacks. Some vendors also use VLAN 1 for protocols like STP or CDP, increasing the risk. Create a dedicated management VLAN and disable VLAN 1 where possible.
Example 1: Attackers on a compromised workstation have performed VLAN hopping by sending double-tagged packets, escaping user VLANs and reaching VLAN 1, where they intercepted management plane traffic and escalated privileges.
Example 2: Penetration testers have repeatedly demonstrated that using VLAN 1 for voice and management traffic allows an attacker with physical access to plug in, sniff traffic, and extract credentials.
6. Unused switch ports
Switch ports left active by default allow rogue devices to connect. Shut down unused ports or assign them to a blackhole VLAN with no access. Where ports must stay live, enable Port Security to limit or lock MAC addresses.
Example 1: In corporate red-team exercises, intruders have simply walked into lobbies, plugged a laptop into an open port, and gained direct access to internal systems because the switch accepted any device by default.
Example 2: In 2017, a rogue device was connected to an unused port at a university network, allowing attackers to capture credentials and pivot into administrative systems.
7. Routing protocols without authentication
Routing protocols that lack authentication are vulnerable to hijacking and route injection. Even if most devices no longer enable RIP or OSPF by default, failing to configure authentication remains a risk. Require authentication and disable unused protocols entirely.
Example 1: Researchers have demonstrated BGP route hijacks by injecting false advertisements into poorly authenticated routing sessions. Similar attacks against OSPF without authentication allow adversaries to poison routing tables and divert traffic for man-in-the-middle interception.
Example 2: In 2008, Pakistan Telecom accidentally announced false BGP routes to YouTube, blackholing global traffic. Although accidental, the same weakness can be deliberately abused by attackers if sessions lack authentication.
8. Factory firmware versions
Devices running only the factory firmware image often contain known vulnerabilities. Leaving them unpatched puts networks at risk. Automating firmware lifecycle management helps ensure updates are applied and not forgotten after deployment.
Example 1: In 2019, attackers exploited unpatched Fortinet and Pulse Secure VPN appliances running outdated firmware to steal credentials and deploy ransomware inside corporate networks.
Example 2: In 2020, Zyxel firewalls with outdated firmware were exploited en masse by Mirai-variant botnets, which leveraged known backdoors left unpatched in default software images.
9. Vendor-supplied firewall rules
Some firewalls ship with overly permissive rules for ease of deployment, while others default to deny-all. In either case, vendor defaults require review. Replace them with least-privilege rulesets before production use.
Example 1: In multiple breaches, firewalls that shipped with allow all outbound defaults let malware freely connect to command-and-control servers. Without egress filtering, attackers could exfiltrate gigabytes of sensitive data undetected.
Example 2: In 2013, penetration testers discovered that a bank’s firewall had shipped with an “any-any” rule still active, which allowed them to pivot from the DMZ into the core network with no restrictions.
10. Wireless SSIDs and insecure settings
Default SSIDs broadcast vendor names, signaling attackers to known vulnerabilities. Change SSIDs, enforce WPA3, and disable features like WPS if enabled by default. Review any preconfigured guest networks, which often ship enabled with weak security.
Example 1: The KRACK attack (2017) showed that WPA2 could be exploited; many consumer APs that still had WPS enabled were brute-forced in seconds, giving attackers access to internal wireless networks.
Example 2: In 2019, security researchers cracked weakly configured default SSIDs and passwords on ISP-provided routers, giving them access to tens of thousands of residential networks in Europe.
11. Logging and monitoring thresholds
Default log levels often omit important events, and many devices lack remote syslog or SIEM integration out of the box. Adjust thresholds and configure external log forwarding to ensure visibility.
Example 1: In the Target 2013 breach, attackers moved through the network undetected because alerts generated by security tools were never forwarded to a central monitoring system or acted on, delaying detection for weeks.
Example 2: In the 2017 Equifax breach, attackers exploited an unpatched Apache Struts server and remained undetected for months in part because logging was insufficient and alerts were missed.
Staying ahead of unsafe defaults
Default settings are in place for convenience, not security. IT managers and network engineers should treat every new device as a baseline that requires hardening before use. Continuous review of vendor defaults ensures that the network remains resilient to predictable attacks and complies with operational standards.
Sources
- Cisco. Harden IOS Devices
- NIST. SP 800-153: Guidelines for Securing Wireless Local Area Networks (WLANs)
- Center for Internet Security. CIS Benchmarks
- Fortinet. FortiGate Hardening Best Practices
- CISA. Guidance and Strategies to Protect Network Edge Devices
- SANS Institute. Critical Security Controls
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
