CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

CISA Retires 10 Emergency Directives in Bulk Closure

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has retired 10 Emergency Directives issued between 2019 and 2024. These directives, which addressed urgent cybersecurity threats, have either been fully implemented or are now covered under Binding Operational Directive 22-01. This is the largest number of Emergency Directives CISA has closed at one time. The retired directives include measures to mitigate vulnerabilities in DNS infrastructure, Windows systems, SolarWinds Orion, Microsoft Exchange, Pulse Connect Secure, Windows Print Spooler, VMware, and a nation-state compromise of Microsoft's corporate email system. Three of these directives (19-01, 21-01, and 24-02) were closed after determining their requirements no longer aligned with the current risk posture or operational practices. CISA worked closely with federal agencies to remediate the vulnerabilities and establish a more resilient digital infrastructure. The closure reflects CISA's shift towards using the Known Exploited Vulnerabilities (KEV) catalog to manage and mitigate cyber threats more efficiently. Emergency Directives will continue to be issued when needed, but CISA emphasized long-term risk reduction increasingly relies on standardized directives and secure-by-design principles across federal systems.

Timeline

  1. 09.01.2026 05:46 3 articles · 4d ago

    CISA Retires 10 Emergency Directives in Bulk Closure

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has retired 10 Emergency Directives issued between 2019 and 2024. These directives, which addressed urgent cybersecurity threats, have either been fully implemented or are now covered under Binding Operational Directive 22-01. This is the largest number of Emergency Directives CISA has closed at one time. CISA worked closely with federal agencies to remediate the vulnerabilities and establish a more resilient digital infrastructure. The closure reflects CISA's shift towards using the Known Exploited Vulnerabilities (KEV) catalog to manage and mitigate cyber threats more efficiently. Three of the retired directives (19-01, 21-01, and 24-02) were closed after determining their requirements no longer aligned with the current risk posture or operational practices.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Five Vulnerabilities Added to CISA's Known Exploited Vulnerabilities Catalog

Five new vulnerabilities have been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog. These include a server-side request forgery (SSRF) flaw in Oracle E-Business Suite (EBS) and four other vulnerabilities affecting Microsoft Windows SMB Client, Kentico Xperience CMS, and Apple's JavaScriptCore. The SSRF vulnerability in Oracle EBS has been actively exploited in real-world attacks. The vulnerabilities affect widely used software and have varying CVSS scores, indicating different levels of severity. Federal Civilian Executive Branch (FCEB) agencies must remediate these vulnerabilities by November 10, 2025, to protect against active threats.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has **reiterated urgent warnings** to U.S. federal agencies after discovering that some organizations incorrectly applied updates for **CVE-2025-20333** and **CVE-2025-20362**, leaving devices marked as 'patched' but still vulnerable to active exploitation. CISA confirmed it is tracking ongoing attacks targeting unpatched Cisco ASA and Firepower devices within Federal Civilian Executive Branch (FCEB) agencies, with over **30,000 devices** remaining exposed globally, down from 45,000 in early October. The vulnerabilities enable unauthenticated remote code execution, unauthorized access to restricted endpoints, and denial-of-service (DoS) attacks. They have been linked to the **ArcaneDoor campaign**, a state-sponsored group active since at least July 2023, which has deployed malware like **RayInitiator** and **LINE VIPER**, manipulated ROM for persistence, and forced devices into reboot loops. CISA’s **Emergency Directive 25-03**, issued in September 2025, mandates federal agencies to account for all affected devices, disconnect end-of-support systems, and apply minimum software versions. The directive also introduced the **RayDetect scanner** to detect compromise evidence in ASA core dumps. Recent findings reveal the same threat actor also exploited **CVE-2025-5777 (Citrix Bleed 2)** and **CVE-2025-20337 (Cisco ISE)** as zero-days, deploying a custom web shell ('IdentityAuditAction') with advanced evasion techniques. The campaign’s indiscriminate targeting and multi-platform exploitation underscore the adversary’s broad capabilities and access to sophisticated tools.

Open in new tab

GeoServer RCE Exploit Used in Federal Agency Breach

A U.S. federal civilian executive branch (FCEB) agency was breached in July 2024 after attackers exploited an unpatched GeoServer instance. The attackers gained initial access through a critical remote code execution (RCE) vulnerability (CVE-2024-36401) and moved laterally within the network, deploying web shells and scripts for persistence and privilege escalation. The breach remained undetected for three weeks until the agency's Endpoint Detection and Response (EDR) tool alerted the Security Operations Center (SOC). The attackers exploited the vulnerability in GeoServer, which was patched in June 2024 but remained unpatched in the agency's environment. They used brute force techniques for lateral movement and privilege escalation, accessing service accounts and deploying web shells like China Chopper. The breach highlights the importance of timely patching, continuous monitoring of EDR alerts, and comprehensive incident response plans. Recently, CISA added a high-severity XML External Entity (XXE) flaw (CVE-2025-58360) in GeoServer to its KEV catalog due to evidence of active exploitation. This flaw affects versions prior to and including 2.25.5, and versions 2.26.0 through 2.26.1. Successful exploitation could allow attackers to access arbitrary files, conduct SSRF attacks, or launch DoS attacks. Federal agencies are advised to apply the required fixes by January 1, 2026. CISA has ordered federal agencies to patch the actively exploited GeoServer vulnerability (CVE-2025-58360) by January 1, 2026. The flaw is being actively exploited in XML External Entity (XXE) injection attacks, allowing threat actors to launch denial-of-service attacks, access confidential data, or perform Server-Side Request Forgery (SSRF) to interact with internal systems. The vulnerability is present in GeoServer 2.26.1 and prior versions and can be exploited through the /geoserver/wms operation GetMap endpoint.

Open in new tab

CISA and Partners Respond to Cyber Attack on Nevada's Essential Services

The state of Nevada experienced a cyber attack on August 24, 2025, impacting essential services. The Cybersecurity and Infrastructure Security Agency (CISA) and its partners are providing real-time incident response and support to restore critical services and rebuild systems. The investigation into the attack's origins is ongoing. CISA's Threat Hunting teams are actively examining state networks to identify the full scope of the incident and mitigate threats. The Federal Bureau of Investigation (FBI) is assisting in the investigation, and the Federal Emergency Management Agency (FEMA) is advising on available assistance. CISA is committed to providing cybersecurity services and expertise to Nevada as long as necessary, emphasizing operational collaboration in real-time.

Open in new tab

N-able N-central vulnerabilities exploited in the wild

Over 800 N-able N-central servers remain unpatched against two critical security flaws, CVE-2025-8875 and CVE-2025-8876, which have been actively exploited in the wild. These vulnerabilities allow for command execution and command injection, respectively. The issues have been addressed in N-central versions 2025.3.1 and 2024.6 HF2, released on August 13, 2025. N-able has urged customers to enable multi-factor authentication (MFA) for admin accounts to mitigate potential risks. The exploitation of these vulnerabilities highlights the importance of timely patching and robust security measures in managing remote monitoring and management (RMM) systems. The active exploitation in the wild underscores the need for vigilance and proactive security practices among cybersecurity professionals. CISA has added the flaws to its Known Exploited Vulnerabilities Catalog and ordered federal agencies to patch their systems within one week.

Open in new tab