Eight in Ten Corporate Servers Can Be Reached From Anywhere Inside the Same Network

A study of 54 trillion real-world network events found that most enterprise servers are wide open once an attacker gets past the front door, and many organisations have no clear idea how bad the exposure is.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial photograph, 16:9 framing, full-frame edge-to-edge composition
Share

Key points

  • More than 80% of enterprise servers were reachable from any point inside their own network, according to Zero Networks' 2026 Lateral Movement Exposure Report.
  • The report analysed 54 trillion network events across 312 live enterprise environments.
  • 87% of enterprise servers accepted remote-access connections from broad internal sources as of the report's publication date.
  • 43% of internal login traffic still used NTLM, an outdated authentication protocol that attackers routinely abuse to impersonate legitimate users.
  • 12% of organisations allowed a single employee device to connect directly to the most sensitive servers on the network.

Most people picture a company's computer network like a fortress: hard walls on the outside, safe on the inside. New research suggests the inside is nowhere near as safe as companies assume.

Zero Networks, a network-security firm, published its 2026 Lateral Movement Exposure Report after studying 54 trillion recorded network events across 312 live corporate environments. The core finding is striking. Over 80% of corporate servers, the powerful computers that hold company data and run business applications, could be reached from any other device already inside the same network.

How does that put ordinary people at risk?

Once a criminal gets one foot inside a corporate network, perhaps by tricking a single employee into clicking a bad link, that broad internal access means they can roam freely. They do not need exotic tools. They use the same everyday remote-access utilities that IT staff rely on: RDP (Remote Desktop Protocol, software that lets someone control a computer from across the office), SSH (Secure Shell, a similar tool used on server systems), and SMB (Server Message Block, the protocol Windows computers use to share files and printers). The report found 87% of servers accepted RDP or SSH connections from wide internal sources, and 78% were reachable via SMB or a related tool called WinRM (Windows Remote Management).

That free movement is the key ingredient in most ransomware attacks, where criminals lock every file in a company until a ransom is paid.

Dray Agha, senior security operations manager at Huntress, a firm that monitors networks for threats, told CSO Online the findings match exactly what his team sees daily. "Most network perimeters are hard on the outside but lose that hostility and become flat on the inside," he said.

The report also found that 43% of internal login traffic relied on NTLM, an older authentication protocol, meaning a system for verifying who a user is, that attackers have exploited for years to steal credentials and climb to higher levels of access. Retiring NTLM is technically awkward in large organisations, but security researchers say leaving it running is a standing invitation for abuse.

Robby Winchester, at security firm SpecterOps, said his teams achieve this kind of internal movement on nearly every test engagement they run. The paths exist, they are hard to spot, and most organisations have no automated way to close them.

If you are a customer, patient, or employee of a large organisation, this research is a prompt rather than a panic. The practical risk from any single breach depends on how quickly the organisation detects unusual movement inside its own network. Ask your employer whether it runs regular internal security tests and whether it limits which computers can talk to which. Those are the basic questions that separate prepared organisations from exposed ones.

Security researchers agree on the countermeasures: divide networks into smaller, isolated zones (called micro-segmentation) so that one infected machine cannot reach everything else, enforce strict rules about which accounts can access which systems, retire legacy protocols like NTLM, and run regular red-team exercises where a friendly team tries to break in and reports back what they found.

© 2026 Threat Vectr