Skip to content

Weak Network Segmentation Increases Lateral Movement Risk in Enterprise Environments

Key Point: Insufficient network segmentation and missing access controls enable attackers to move laterally without restriction — using standard administrative tools instead of specialized exploits.

Over 80 percent of enterprise servers are reachable from anywhere within corporate networks, according to the 2026 Lateral Movement Exposure Report from Zero Networks. Analysis of 54 trillion activities across 312 live environments reveals critical security gaps that give attackers free rein once they breach the perimeter.

The report documents alarming misconfigurations in RDP and SSH access: 87 percent of servers accept inbound connections from these protocols from broad internal sources. Additionally, 78 percent of servers are reachable via SMB or WinRM — both protocols routinely exploited for lateral movement in ransomware attacks. Particularly critical: 43 percent of internal authentication traffic still relies on NTLM, a legacy protocol vulnerable to credential relay and privilege escalation attacks. In 12 percent of organizations, direct user-to-server administrator paths exist, meaning a compromised endpoint enables immediate access to critical systems.

Security practitioners confirm these findings from their operational experience. Dray Agha, Senior Manager Security Operations at Huntress, describes a widespread pattern: “Network perimeters are hardened from the outside but become flat and open inside the network.” Robby Winchester, Chief Global Professional Services Officer at SpecterOps, adds: In nearly every penetration test, penetration testers succeed in achieving lateral movement. Tools like BloodHound visualize that attack paths are continuously present and nearly impossible to eliminate without visibility.

Once attackers breach the perimeter, they have no reason to deploy expensive zero-day exploits. They use the same administrative tools and open paths — RDP, SMB, SSH — that IT teams use daily. This is not an accident but the result of a deliberate design decision: RDP, SMB, SSH, and WinRM exist because administrators need to work with them. Implementing modern alternatives to legacy protocols like NTLM is operationally challenging and requires substantial effort in environments that have grown over many years.

David Sancho, Senior Threat Researcher at Trend Micro, emphasizes an important distinction: reachability indicates potential damage scope but does not automatically guarantee compromise in all scenarios. Nevertheless, the findings reveal a fundamental operational tension — the balance between security and usability. Measures such as restricting administrative paths, retiring legacy-based protocols, and implementing network segmentation are technically sound but often difficult to enforce in complex environments that have developed over decades.


Source: www.csoonline.com · Published July 9, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.

Share on: