AT&T customers are being hit with a malware attack that uses a network edge device to steal data.

According to Ars Technica, researchers at Qihoo 360 discovered a new botnet that is targeting the EdgeMarc Enterprise Session Border Controller. The device is commonly used by small to medium-sized enterprises on AT&T’s network.

“However, during this brief observation, we confirmed that the attacked devices were EdgeMarc Enterprise Session Border Controller, belonging to the telecom company AT&T, and that all 5.7k active victims that we saw during the short time window were all geographically located in the US,” wrote Qihoo 360’s Alex Turing and Hui Wang.

The vulnerability traces back to 2017 when a researcher discovered a way to attack the devices using an on-device account that used “root” and “default” as the username and password. Despite being discovered years ago, Ars says it’s unclear if AT&T ever notified customers of the vulnerability.

A patch was released 19 months later, in December 2018. Because the patch required manual installation, however, it’s a safe bet many companies never installed the fix.

Qihoo 360’s researchers have already found more than 100,000 devices using the same TLS certificate as infected devices. This may indicate the vulnerability is far more widespread than just the confirmed victims.

“We are not sure how many devices corresponding to these IPs could be infected, but we can speculate that as they belong to the same class of devices the possible impact is real,” the researchers added.