In retail networks, 25 of the top 140 device types account for 99% of devices (such as barcode scanners, POS terminals, and loss prevention systems), while the remaining 1% includes atypical items like serial-to-IP converters and consumer devices.

As networks expand with diverse devices and unmanaged xIoT, enterprises are losing track of asset inventories, widening the attack surface beyond traditional IT assets.

A Forescout study of 10 million devices across 700 organizations in October 2025 found that roughly two-thirds of devices are non-traditional IT, including network gear, OT, IoT, and medical equipment.

Many firmware versions are near end-of-support and aging devices remain online with unpatched weaknesses, illustrating how legacy equipment maintains exposure across routers, controllers, and other connected gear.

The most common xIoT functions—VoIP phones, IP cameras, POS systems, and uninterruptible power supplies—are essential for operations yet often unmanaged, creating security gaps.

IP cameras rank among the top three IoT devices in both enterprise and retail environments, with analysis of 25,000 cameras across multiple business settings revealing 206 firmware versions from 125 vendors; alarmingly, about 40% of cameras have at least one vulnerability and roughly 3% are exposed to the internet.

Sectors with heavy device usage—healthcare, utilities, and retail—show substantial xIoT presence, with healthcare around 35% and utilities and retail about 22%, while regulatory constraints slow timely firmware updates for medical devices.