CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

CISA Mandates Replacement of End-of-Life Edge Devices in Federal Networks

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive (BOD 26-02) requiring federal agencies to identify, remove, and replace end-of-life (EOL) edge devices, including routers, firewalls, and network switches, that no longer receive security updates. The directive aims to mitigate the substantial and constant threat of exploitation by advanced threat actors targeting these vulnerable devices. Agencies must decommission EOL devices within 12 to 18 months and establish continuous discovery processes to identify and manage devices approaching end-of-support status. CISA has also developed an end-of-support edge device list to assist agencies in this effort.

Timeline

  1. 06.02.2026 10:41 2 articles · 13h ago

    CISA Issues Binding Operational Directive 26-02 for EOL Edge Device Replacement

    On February 6, 2026, CISA issued BOD 26-02, mandating federal agencies to decommission and replace EOL edge devices within 12 to 18 months. The directive also requires agencies to establish continuous discovery processes to identify and manage devices approaching end-of-support status within 24 months. This follows the 2023 directive BOD 23-02, which required securing misconfigured or Internet-exposed management interfaces. CISA has developed an end-of-support edge device list to assist agencies in identifying and managing these devices.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active Exploitation of Critical WatchGuard Fireware OS VPN Vulnerability (CVE-2025-14733)

WatchGuard has released patches for a critical out-of-bounds write vulnerability (CVE-2025-14733, CVSS 9.3) in Fireware OS, which is being actively exploited in the wild. The flaw affects the iked process and could allow remote unauthenticated attackers to execute arbitrary code. The vulnerability impacts various versions of Fireware OS, including 2025.1, 12.x, 12.5.x, and 12.3.1, while versions 11.x are end-of-life. WatchGuard has observed active exploitation attempts from several IP addresses, some of which are linked to recent Fortinet vulnerabilities. The company has provided indicators of compromise (IoCs) and temporary mitigation steps for affected devices.

Open in new tab

F5 Devices Targeted by Nation-State Actors; CISA Issues Emergency Directive

A nation-state threat actor is exploiting vulnerabilities in F5 devices and software to gain unauthorized access to federal networks. The actor can exfiltrate sensitive data and establish persistent access. CISA has issued Emergency Directive 26-01 to mitigate the risk, requiring immediate updates to F5 products. The directive affects all Federal Civilian Executive Branch (FCEB) agencies. The directive follows F5's disclosure of a breach in their development environment, where the actor had long-term access and exfiltrated files. The vulnerability poses a significant risk to any organization using F5 technology.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has **reiterated urgent warnings** to U.S. federal agencies after discovering that some organizations incorrectly applied updates for **CVE-2025-20333** and **CVE-2025-20362**, leaving devices marked as 'patched' but still vulnerable to active exploitation. CISA confirmed it is tracking ongoing attacks targeting unpatched Cisco ASA and Firepower devices within Federal Civilian Executive Branch (FCEB) agencies, with over **30,000 devices** remaining exposed globally, down from 45,000 in early October. The vulnerabilities enable unauthenticated remote code execution, unauthorized access to restricted endpoints, and denial-of-service (DoS) attacks. They have been linked to the **ArcaneDoor campaign**, a state-sponsored group active since at least July 2023, which has deployed malware like **RayInitiator** and **LINE VIPER**, manipulated ROM for persistence, and forced devices into reboot loops. CISA’s **Emergency Directive 25-03**, issued in September 2025, mandates federal agencies to account for all affected devices, disconnect end-of-support systems, and apply minimum software versions. The directive also introduced the **RayDetect scanner** to detect compromise evidence in ASA core dumps. Recent findings reveal the same threat actor also exploited **CVE-2025-5777 (Citrix Bleed 2)** and **CVE-2025-20337 (Cisco ISE)** as zero-days, deploying a custom web shell ('IdentityAuditAction') with advanced evasion techniques. The campaign’s indiscriminate targeting and multi-platform exploitation underscore the adversary’s broad capabilities and access to sophisticated tools.

Open in new tab

Critical Out-of-Bounds Write Vulnerabilities in WatchGuard Firebox Firewalls Exploited in the Wild

Over 115,000 WatchGuard Firebox network security appliances remain exposed to critical remote code execution flaws, including CVE-2025-9242 and the newly disclosed CVE-2025-14733. These vulnerabilities allow remote attackers to execute code without authentication. WatchGuard has released patches and provided temporary workarounds for administrators who cannot immediately update their devices. The vulnerabilities are actively being exploited in the wild, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-9242 to its Known Exploited Vulnerabilities (KEV) catalog on November 13, 2025, based on evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are advised to apply WatchGuard's patches by December 3, 2025. The Shadowserver Foundation detected over 71,000 vulnerable devices as of October 17, 2025. As of November 12, 2025, over 54,300 Firebox instances remain vulnerable, with the U.S. having the highest number of vulnerable devices at 18,500. On December 22, 2025, Shadowserver found over 124,658 unpatched Firebox instances exposed online, with 117,490 still exposed the following day. CISA added CVE-2025-14733 to its KEV Catalog and ordered FCEB agencies to patch Firebox firewalls within a week, by December 26th.

Open in new tab

CISA Emergency Directive 25-02 issued for Microsoft Exchange vulnerability affecting hybrid environments

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the National Security Agency (NSA) and international partners, has released the "Microsoft Exchange Server Security Best Practices" guidance. This guidance builds upon CISA’s Emergency Directive 25-02, which was issued to mitigate a Microsoft Exchange vulnerability affecting hybrid environments. The flaw, CVE-2025-53786, allows post-authentication privilege escalation and exploitation of hybrid-joined configurations. The vulnerability affects hybrid Microsoft Exchange environments, where an attacker with administrative access can exploit the flaw to impact cloud-connected services. CISA has not observed active exploitation but warns of significant risks if left unaddressed. The guidance recommends proactive prevention techniques, including restricting administrative access, implementing multifactor authentication, enforcing strict transport security configurations, and adopting zero trust (ZT) security model principles. Additionally, CISA encourages organizations to evaluate the use of cloud-based email services. The directive mandates immediate action from federal civilian agencies to implement vendor mitigation guidance. CISA will assess and support compliance, providing additional resources as necessary. Over 29,000 Exchange servers were found vulnerable to CVE-2025-53786 attacks days after CISA's directive, highlighting the urgency of the situation. The agencies also recommend decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365, enabling certificate-based signing for the Exchange Management Shell, and implementing HTTP Strict Transport Security. They advise deploying Kerberos and SMB instead of NTLM to secure authentication processes and configuring Transport Layer Security to protect data integrity and Extended Protection to defend against Adversary-in-the-Middle (AitM), relay, and forwarding attacks. The agencies emphasize the importance of support lifecycles, noting that some Exchange versions have reached end-of-life (EOL). They strongly recommend minimizing risk by migrating to a supported email software or service, or disconnecting unsupported and EOL systems. The guidance highlights the importance of steady cooperation across government and allied cybersecurity organizations despite political friction and a prolonged government shutdown.

Open in new tab