CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

CISA Mandates Replacement of End-of-Life Edge Devices in Federal Networks

First reported
Last updated
4 unique sources, 4 articles

Summary

Hide ▲

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI and the UK's National Cyber Security Centre (NCSC), has issued a joint alert warning about the risks posed by discontinued edge devices. These devices, which include firewalls, IoT devices, load balancers, network security appliances, routers, switches, wireless access points, and other software and hardware appliances, are often targeted by state-sponsored threat actors for network access, persistence, and data theft. CISA has issued Binding Operational Directive 26-02, mandating federal agencies to decommission and replace end-of-life (EOL) edge devices within 12 to 18 months. Agencies must also establish continuous discovery processes to identify and manage devices approaching end-of-support status within 24 months. CISA has developed an end-of-support edge device list to assist agencies in this effort. On February 5, 2026, CISA issued BOD 26-02, emphasizing the immediate actions required by federal agencies, including updating supported edge devices running EOS software within three months and decommissioning identified EOS edge devices within 18 months.

Timeline

  1. 06.02.2026 10:41 4 articles · 4d ago

    CISA Issues Binding Operational Directive 26-02 for EOL Edge Device Replacement

    On February 5, 2026, CISA issued BOD 26-02, mandating federal agencies to decommission and replace EOL edge devices within 12 to 18 months. The directive also requires agencies to establish continuous discovery processes to identify and manage devices approaching end-of-support status within 24 months. This follows the 2023 directive BOD 23-02, which required securing misconfigured or Internet-exposed management interfaces. CISA has developed an end-of-support edge device list to assist agencies in identifying and managing these devices. Additionally, CISA, the FBI, and the UK's NCSC issued a joint alert warning about the risks posed by discontinued edge devices, emphasizing the immediate actions required by federal agencies, including updating supported edge devices running EOS software within three months and decommissioning identified EOS edge devices within 18 months. Federal agencies must identify and remediate vulnerabilities within the first three months of the directive issuance. All devices with an EOS date on or before 12 months from the issuance of the directive must be decommissioned and the action reported to CISA. All edge devices with an EOS within the following 12 months must be inventoried. Within 18 months from the directive issue date, all identified EOS edge devices must be decommissioned from agency networks. Agencies must establish a process for continuous discovery of all edge devices within their environments within two years.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

CISA Retires 10 Emergency Directives in Bulk Closure

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has retired 10 Emergency Directives issued between 2019 and 2024. These directives, which addressed urgent cybersecurity threats, have either been fully implemented or are now covered under Binding Operational Directive 22-01. This is the largest number of Emergency Directives CISA has closed at one time. The retired directives include measures to mitigate vulnerabilities in DNS infrastructure, Windows systems, SolarWinds Orion, Microsoft Exchange, Pulse Connect Secure, Windows Print Spooler, VMware, and a nation-state compromise of Microsoft's corporate email system. Three of these directives (19-01, 21-01, and 24-02) were closed after determining their requirements no longer aligned with the current risk posture or operational practices. CISA worked closely with federal agencies to remediate the vulnerabilities and establish a more resilient digital infrastructure. The closure reflects CISA's shift towards using the Known Exploited Vulnerabilities (KEV) catalog to manage and mitigate cyber threats more efficiently. Emergency Directives will continue to be issued when needed, but CISA emphasized long-term risk reduction increasingly relies on standardized directives and secure-by-design principles across federal systems.

Open in new tab

Active Exploitation of Critical WatchGuard Fireware OS VPN Vulnerability (CVE-2025-14733)

WatchGuard has released patches for a critical out-of-bounds write vulnerability (CVE-2025-14733, CVSS 9.3) in Fireware OS, which is being actively exploited in the wild. The flaw affects the iked process and could allow remote unauthenticated attackers to execute arbitrary code. The vulnerability impacts various versions of Fireware OS, including 2025.1, 12.x, 12.5.x, and 12.3.1, while versions 11.x are end-of-life. WatchGuard has observed active exploitation attempts from several IP addresses, some of which are linked to recent Fortinet vulnerabilities. The company has provided indicators of compromise (IoCs) and temporary mitigation steps for affected devices.

Open in new tab

F5 Devices Targeted by Nation-State Actors; CISA Issues Emergency Directive

A nation-state threat actor is exploiting vulnerabilities in F5 devices and software to gain unauthorized access to federal networks. The actor can exfiltrate sensitive data and establish persistent access. CISA has issued Emergency Directive 26-01 to mitigate the risk, requiring immediate updates to F5 products. The directive affects all Federal Civilian Executive Branch (FCEB) agencies. The directive follows F5's disclosure of a breach in their development environment, where the actor had long-term access and exfiltrated files. The vulnerability poses a significant risk to any organization using F5 technology.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has **reiterated urgent warnings** to U.S. federal agencies after discovering that some organizations incorrectly applied updates for **CVE-2025-20333** and **CVE-2025-20362**, leaving devices marked as 'patched' but still vulnerable to active exploitation. CISA confirmed it is tracking ongoing attacks targeting unpatched Cisco ASA and Firepower devices within Federal Civilian Executive Branch (FCEB) agencies, with over **30,000 devices** remaining exposed globally, down from 45,000 in early October. The vulnerabilities enable unauthenticated remote code execution, unauthorized access to restricted endpoints, and denial-of-service (DoS) attacks. They have been linked to the **ArcaneDoor campaign**, a state-sponsored group active since at least July 2023, which has deployed malware like **RayInitiator** and **LINE VIPER**, manipulated ROM for persistence, and forced devices into reboot loops. CISA’s **Emergency Directive 25-03**, issued in September 2025, mandates federal agencies to account for all affected devices, disconnect end-of-support systems, and apply minimum software versions. The directive also introduced the **RayDetect scanner** to detect compromise evidence in ASA core dumps. Recent findings reveal the same threat actor also exploited **CVE-2025-5777 (Citrix Bleed 2)** and **CVE-2025-20337 (Cisco ISE)** as zero-days, deploying a custom web shell ('IdentityAuditAction') with advanced evasion techniques. The campaign’s indiscriminate targeting and multi-platform exploitation underscore the adversary’s broad capabilities and access to sophisticated tools.

Open in new tab

Cisco IOS and IOS XE SNMP Zero-Day Exploited in Attacks

Cisco has released security updates to address a high-severity zero-day vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE Software. The flaw is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem, actively exploited in attacks. This vulnerability allows authenticated, remote attackers to cause denial-of-service (DoS) conditions or gain root control of affected systems. The vulnerability impacts all devices with SNMP enabled, including specific Cisco devices running Meraki CS 17 and earlier. Cisco advises customers to upgrade to a fixed software release, specifically Cisco IOS XE Software Release 17.15.4a, to remediate the vulnerability. Temporary mitigation involves limiting SNMP access to trusted users and disabling the affected Object Identifiers (OIDs) on devices. Additionally, Cisco patched 13 other security vulnerabilities, including two with available proof-of-concept exploit code. Cisco also released patches for 14 vulnerabilities in IOS and IOS XE, including eight high-severity vulnerabilities. Proof-of-concept exploit code exists for two of the vulnerabilities, but exploitation is not confirmed. Three additional medium-severity bugs affect Cisco’s SD-WAN vEdge, Access Point, and Wireless Access Point (AP) software. Cybersecurity researchers have disclosed details of a new campaign, codenamed "Operation Zero Disco", that exploited CVE-2025-20352 to deploy Linux rootkits on older, unprotected systems. The attacks targeted Cisco 9400, 9300, and legacy 3750G series devices, and involved the exploitation of a modified Telnet vulnerability (based on CVE-2017-3881) to enable memory access. The rootkits allowed attackers to achieve remote code execution and gain persistent unauthorized access by setting universal passwords and installing hooks into the Cisco IOS daemon (IOSd) memory space. The attacks singled out victims running older Linux systems without endpoint detection response solutions, using spoofed IPs and Mac email addresses. The rootkit sets a universal password that includes the word "disco" in it, and the malware installs several hooks onto the IOSd, resulting in fileless components disappearing after a reboot. Newer switch models provide some protection via Address Space Layout Randomization (ASLR). The campaign used a UDP controller on infected switches to toggle logs, bypass authentication, and conceal configuration changes. The rootkit allowed attackers to hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks against 32-bit builds included an SNMP exploit that split command payloads across packets. For 64-bit targets, attackers needed guest shell access at level 15 to install a fileless backdoor and use a UDP controller for remote management. The rootkit granted several covert capabilities, including acting as a UDP listener on any port for remote commands. The rootkit created a universal password by modifying IOSd memory. The rootkit could hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks targeted older Linux hosts lacking endpoint detection response, where fileless components could disappear after reboot, yet still enable lateral movement. Trend Research recovered multiple exploit variants for 32-bit and 64-bit platforms. The operation impacted Cisco 9400 series, 9300 series, and legacy 3750G devices. Cisco provided forensic support that helped confirm affected models and assisted the investigation. The attacks involved a Telnet variant used to permit arbitrary memory access. Cisco has also patched a vulnerability in its Identity Services Engine (ISE) network access control solution, with public proof-of-concept exploit code, that can be abused by attackers with admin privileges. The security flaw (CVE-2026-20029) affects Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) regardless of device configuration, and remote attackers with high privileges can exploit it to access sensitive information on unpatched devices. Cisco strongly recommends upgrading to fixed software releases to fully address the vulnerability. Cisco also addressed multiple IOS XE vulnerabilities that allow unauthenticated, remote attackers to restart the Snort 3 Detection Engine. Cisco warned customers in December that a Chinese threat group tracked as UAT-9686 is exploiting a maximum-severity Cisco AsyncOS zero-day (CVE-2025-20393) that's still awaiting a patch in attacks targeting Secure Email and Web Manager (SEWM) and Secure Email Gateway (SEG) appliances.

Open in new tab