Zero Days and Why Your Router Is a Target

In 2021, a vulnerability was discovered in Accela software—a platform used by local governments for permitting, licensing, and inspections. By the time CISA added it to the Known Exploited Vulnerabilities catalog, it had been exploited in the wild for 45 days. Cities and the businesses that interacted with them were exposed the entire time.

Here's the uncomfortable truth: vulnerabilities exist in software before anyone knows about them. Sometimes for days. Sometimes for months. Sometimes for years. These are "zero days"—vulnerabilities with zero days of known patches.

Your router is a target because it's always on, rarely monitored, often runs outdated firmware, and sits between your network and the entire internet. If an attacker owns your router, they own your network.

What zero-day vulnerabilities actually mean

A zero-day vulnerability is a software flaw that:

1. Exists in the software
2. Is unknown to the developer (or known but unfixed)
3. Has active exploitation in the wild

The "zero day" refers to the fact that developers have had zero days to fix it—they don't know about it yet.

When a zero-day is discovered (by security researchers, attackers, or intelligence agencies), the developer gets a chance to create a patch. But between discovery and patch release, anyone using that software is vulnerable. And if attackers discovered the vulnerability first, they've had a head start.

Examples that affected SMBs:

• Fortinet VPN vulnerability (2022-2023): Attackers exploited a known vulnerability in Fortinet VPNs to breach hundreds of organizations before patches were applied.
• ProxyLogon/ProxyShell (2021): Microsoft Exchange server vulnerabilities that were exploited to compromise thousands of email servers.
• Log4Shell (2021): A vulnerability in common logging software that affected millions of applications and servers worldwide.

Why your router matters

Small business routers are attractive targets because:

• They're always on, giving attackers a persistent entry point
• They rarely get firmware updates—many SMB routers run outdated software for years
• They have weak default configurations that most people never change
• They forward traffic—compromising a router lets attackers see and manipulate all network traffic
• They're not monitored—most small businesses don't have tools watching their router for suspicious activity

A compromised router can:

• Redirect your traffic to malicious websites (DNS hijacking)
• Capture credentials and sensitive data passing through
• Serve as a jump point into your internal network
• Remain undetected for months or years

What can go wrong

Network traffic interception: If your router is compromised, attackers can see everything—logins, emails, financial data, customer information.

DNS hijacking: Your router can be redirected to send you to fake versions of websites you visit, capturing your credentials when you log in.

Ransomware delivery: Some ransomware operators use router vulnerabilities as an entry point into networks.

Supply chain compromise: If your router firmware gets modified by attackers, every device on your network is at risk from the start.

Long-term persistent access: Router compromises can persist for years because routers are rarely checked and often forgotten.

What it costs

• Incident response if your router is compromised: $5,000 to $30,000 for a thorough investigation and router replacement
• Router replacement: $200 to $2,000 depending on the device, plus IT time to reconfigure
• Downtime during investigation: Days of limited network access while you determine the scope
• Data breach if traffic was intercepted: $10,000 to $100,000+ depending on what was captured
• Loss of network confidentiality: If sensitive business data was captured, competitive damage and liability

Vendor questions (copy/paste)

"How do we check if our routers have known vulnerabilities? What's our current firmware version?"

"How often do you update router firmware? What's the process for applying critical security patches?"

"We use [specific router model]. Has it had any known vulnerabilities? Are we patched?"

"What's your recommendation for router replacement? How often should we replace network equipment?"

"Can you set up monitoring on our router so we get alerted to unusual activity?"

"We have remote workers who VPN into our network. What router security do they need on their end?"

Minimum viable implementation

1. Check your router firmware version and compare it to what's available from the manufacturer. This should be done quarterly, minimum. If you're more than a few versions behind, update. If the manufacturer has stopped providing updates for your model, it's time to replace it.

2. Replace routers that are end-of-life. Manufacturers stop providing security updates for older models. A router that hasn't had a firmware update in 2-3 years is a liability. Budget for replacement every 3-5 years.

3. Change default credentials on all network equipment. Default admin passwords are public knowledge. Change them.

4. Disable remote management on your router if you don't need it. If you do need it, require VPN or at minimum strong credentials and consider allowing it only from specific IP addresses.

5. Use DNS filtering at the router level or on endpoints. Services like Cloudflare WARP, Quad9, or OpenDNS can block known-malicious domains even if your router is compromised.

6. Segment your network. Put guest WiFi on a separate network from business systems. If one segment gets compromised, attackers have harder access to other segments.

7. Monitor what you can. Some business-class routers have logging and alerting capabilities. Enable what's available. Even basic logging helps in incident response.

8. Consider a next-generation firewall or UTM if you have the budget. These devices have intrusion detection, application control, and regular signature updates that consumer-grade routers lack.

9. Have a backup internet connection for critical operations. If your primary router fails or gets compromised, a mobile hotspot or secondary connection can keep basic operations going.

When to hire help

Call someone today if:

• Your router is behaving strangely—unusual lights, unexpected reboots, configuration changes you didn't make
• You received a vulnerability notification about your router model
• You suspect your router has been compromised

Call someone this week if:

• Your router is more than 3 years old and hasn't been updated
• You don't know how to check or update your router firmware
• You want someone to assess your network equipment and recommend replacements

You can probably handle it yourself if:

• You know what router model you have and can access its admin interface
• You can check for firmware updates and apply them
• You have a replacement plan when your current router reaches end-of-life

Zero days are scary because you can't patch what you don't know exists. But the attackers who exploit zero days often prefer easy targets with known vulnerabilities. Keep your systems updated, and you make yourself less attractive than the next guy who didn't.