Subscribe to the Non-Human & AI Identity Journal

Why do unpatchable devices create such a large security problem?

Unpatchable devices turn every software flaw into a long-term exposure because defenders cannot rely on remediation to remove the weakness. If those devices also have broad network reach or privileged service access, the compromise becomes more valuable. That is why governance must focus on limiting what the device can reach, not just on detecting the flaw.

Why This Matters for Security Teams

Unpatchable devices are dangerous because the normal software lifecycle is broken: if the vendor will not release a fix, defenders have to treat the flaw as persistent risk rather than a temporary exposure. That changes the control strategy from “patch and verify” to containment, segmentation, monitoring, and strict access governance. The problem becomes more severe when the device performs a business-critical function, sits in a flat network, or holds credentials that other systems trust. NIST’s Cybersecurity Framework 2.0 is useful here because it pushes teams toward risk-based asset management and protective controls, not just remediation. For environments that rely on software-defined trust, NHIs often become the hidden amplifier: service accounts, API keys, and embedded tokens can give an unpatchable device far more reach than its hardware footprint suggests. NHI Management Group research shows why that matters, with 97% of NHIs carrying excessive privileges and 90% of IT leaders saying proper NHI management is essential to zero-trust implementation, as discussed in Ultimate Guide to NHIs. In practice, many security teams discover the device problem only after the credential problem has already expanded the blast radius.

How It Works in Practice

The practical response is to reduce what the unpatchable device can do, where it can talk, and what it can authenticate to. That means treating the device as a constrained trust boundary instead of a fully manageable endpoint. Good programs combine network segmentation, allowlisted communications, strict identity bindings, and continuous monitoring so that a known vulnerability cannot easily become remote code execution, lateral movement, or data exfiltration.

A useful operating model usually includes:

  • Inventory the device, its firmware version, and every dependent service or human workflow it supports.
  • Map the device’s network paths and remove anything not required for operation.
  • Replace broad shared credentials with narrowly scoped credentials, preferably tied to one device and one purpose.
  • Log all device-to-service activity and alert on unusual destinations, timing, or volume.
  • Plan compensating controls such as virtual patching, proxy enforcement, or application-layer filtering.

For identity-heavy environments, the key risk is not the device alone but the access it inherits through secrets and service accounts. NHIMG guidance on The State of Non-Human Identity Security highlights the broader visibility gap around machine access, which is why unpatchable devices so often persist unnoticed inside trusted workflows. MITRE’s ATT&CK framework is also relevant for modelling how an attacker would move from the device into adjacent systems once initial access is achieved. These controls tend to break down when the device is embedded in operational technology, legacy medical equipment, or vendor-managed appliances because downtime, proprietary protocols, and unsupported management interfaces limit what defenders can safely change.

Common Variations and Edge Cases

Tighter containment often increases operational overhead, requiring organisations to balance resilience against uptime, vendor support, and maintenance complexity. That tradeoff is most visible in environments where the device cannot tolerate traffic inspection, cannot be proxied, or depends on long-lived credentials that are difficult to rotate. In those cases, current guidance suggests documenting explicit compensating controls rather than assuming the exposure is acceptable by default.

Some edge cases are especially difficult. Industrial control systems, building management systems, and medical devices may be unpatchable for regulatory, safety, or vendor-contract reasons, yet still need network reach to function. In those settings, the best practice is evolving toward layered isolation, passive monitoring, and very narrow trust relationships rather than traditional endpoint hardening. A separate but related risk appears when the device uses embedded secrets or a service account that is also reused elsewhere. That pattern can turn a single flawed device into a broader identity compromise, which is why NHIMG research such as GitHub Personal Account Breach is a reminder that access paths matter as much as the vulnerable system itself. The same logic applies to supply chain-linked tooling, including incidents like SpotBugs Token GitHub Supply Chain Attack, where credential scope and trust relationships shaped the impact. Unpatchable devices become especially hard to govern when vendors require direct internet access or when the asset is treated as “not a computer,” even though it behaves like one from a security perspective.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 ID.AM-1 Unpatchable devices must be inventoried and risk-ranked before compensating controls can work.
MITRE ATT&CK T1210 Attackers often pivot from a vulnerable device into adjacent systems through remote services.

Identify every device and dependency first, then apply containment controls to the highest-risk assets.