CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

CISA Mandates Replacement of End-of-Life Edge Devices in Federal Networks

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI and the UK's National Cyber Security Centre (NCSC), has issued a joint alert warning about the risks posed by discontinued edge devices. These devices, which include firewalls, IoT devices, load balancers, network security appliances, routers, switches, wireless access points, and other software and hardware appliances, are often targeted by state-sponsored threat actors for network access, persistence, and data theft. CISA has issued Binding Operational Directive 26-02, mandating federal agencies to decommission and replace end-of-life (EOL) edge devices within 12 to 18 months. Agencies must also establish continuous discovery processes to identify and manage devices approaching end-of-support status within 24 months. CISA has developed an end-of-support edge device list to assist agencies in this effort.

Timeline

  1. 06.02.2026 10:41 3 articles · 1d ago

    CISA Issues Binding Operational Directive 26-02 for EOL Edge Device Replacement

    On February 6, 2026, CISA issued BOD 26-02, mandating federal agencies to decommission and replace EOL edge devices within 12 to 18 months. The directive also requires agencies to establish continuous discovery processes to identify and manage devices approaching end-of-support status within 24 months. This follows the 2023 directive BOD 23-02, which required securing misconfigured or Internet-exposed management interfaces. CISA has developed an end-of-support edge device list to assist agencies in identifying and managing these devices. Additionally, CISA, the FBI, and the UK's NCSC issued a joint alert warning about the risks posed by discontinued edge devices, emphasizing the immediate actions required by federal agencies, including updating supported edge devices running EOS software within three months and decommissioning identified EOS edge devices within 18 months.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active Exploitation of Critical WatchGuard Fireware OS VPN Vulnerability (CVE-2025-14733)

WatchGuard has released patches for a critical out-of-bounds write vulnerability (CVE-2025-14733, CVSS 9.3) in Fireware OS, which is being actively exploited in the wild. The flaw affects the iked process and could allow remote unauthenticated attackers to execute arbitrary code. The vulnerability impacts various versions of Fireware OS, including 2025.1, 12.x, 12.5.x, and 12.3.1, while versions 11.x are end-of-life. WatchGuard has observed active exploitation attempts from several IP addresses, some of which are linked to recent Fortinet vulnerabilities. The company has provided indicators of compromise (IoCs) and temporary mitigation steps for affected devices.

Open in new tab

F5 Devices Targeted by Nation-State Actors; CISA Issues Emergency Directive

A nation-state threat actor is exploiting vulnerabilities in F5 devices and software to gain unauthorized access to federal networks. The actor can exfiltrate sensitive data and establish persistent access. CISA has issued Emergency Directive 26-01 to mitigate the risk, requiring immediate updates to F5 products. The directive affects all Federal Civilian Executive Branch (FCEB) agencies. The directive follows F5's disclosure of a breach in their development environment, where the actor had long-term access and exfiltrated files. The vulnerability poses a significant risk to any organization using F5 technology.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has **reiterated urgent warnings** to U.S. federal agencies after discovering that some organizations incorrectly applied updates for **CVE-2025-20333** and **CVE-2025-20362**, leaving devices marked as 'patched' but still vulnerable to active exploitation. CISA confirmed it is tracking ongoing attacks targeting unpatched Cisco ASA and Firepower devices within Federal Civilian Executive Branch (FCEB) agencies, with over **30,000 devices** remaining exposed globally, down from 45,000 in early October. The vulnerabilities enable unauthenticated remote code execution, unauthorized access to restricted endpoints, and denial-of-service (DoS) attacks. They have been linked to the **ArcaneDoor campaign**, a state-sponsored group active since at least July 2023, which has deployed malware like **RayInitiator** and **LINE VIPER**, manipulated ROM for persistence, and forced devices into reboot loops. CISA’s **Emergency Directive 25-03**, issued in September 2025, mandates federal agencies to account for all affected devices, disconnect end-of-support systems, and apply minimum software versions. The directive also introduced the **RayDetect scanner** to detect compromise evidence in ASA core dumps. Recent findings reveal the same threat actor also exploited **CVE-2025-5777 (Citrix Bleed 2)** and **CVE-2025-20337 (Cisco ISE)** as zero-days, deploying a custom web shell ('IdentityAuditAction') with advanced evasion techniques. The campaign’s indiscriminate targeting and multi-platform exploitation underscore the adversary’s broad capabilities and access to sophisticated tools.

Open in new tab

Cisco IOS and IOS XE SNMP Zero-Day Exploited in Attacks

Cisco has released security updates to address a high-severity zero-day vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE Software. The flaw is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem, actively exploited in attacks. This vulnerability allows authenticated, remote attackers to cause denial-of-service (DoS) conditions or gain root control of affected systems. The vulnerability impacts all devices with SNMP enabled, including specific Cisco devices running Meraki CS 17 and earlier. Cisco advises customers to upgrade to a fixed software release, specifically Cisco IOS XE Software Release 17.15.4a, to remediate the vulnerability. Temporary mitigation involves limiting SNMP access to trusted users and disabling the affected Object Identifiers (OIDs) on devices. Additionally, Cisco patched 13 other security vulnerabilities, including two with available proof-of-concept exploit code. Cisco also released patches for 14 vulnerabilities in IOS and IOS XE, including eight high-severity vulnerabilities. Proof-of-concept exploit code exists for two of the vulnerabilities, but exploitation is not confirmed. Three additional medium-severity bugs affect Cisco’s SD-WAN vEdge, Access Point, and Wireless Access Point (AP) software. Cybersecurity researchers have disclosed details of a new campaign, codenamed "Operation Zero Disco", that exploited CVE-2025-20352 to deploy Linux rootkits on older, unprotected systems. The attacks targeted Cisco 9400, 9300, and legacy 3750G series devices, and involved the exploitation of a modified Telnet vulnerability (based on CVE-2017-3881) to enable memory access. The rootkits allowed attackers to achieve remote code execution and gain persistent unauthorized access by setting universal passwords and installing hooks into the Cisco IOS daemon (IOSd) memory space. The attacks singled out victims running older Linux systems without endpoint detection response solutions, using spoofed IPs and Mac email addresses. The rootkit sets a universal password that includes the word "disco" in it, and the malware installs several hooks onto the IOSd, resulting in fileless components disappearing after a reboot. Newer switch models provide some protection via Address Space Layout Randomization (ASLR). The campaign used a UDP controller on infected switches to toggle logs, bypass authentication, and conceal configuration changes. The rootkit allowed attackers to hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks against 32-bit builds included an SNMP exploit that split command payloads across packets. For 64-bit targets, attackers needed guest shell access at level 15 to install a fileless backdoor and use a UDP controller for remote management. The rootkit granted several covert capabilities, including acting as a UDP listener on any port for remote commands. The rootkit created a universal password by modifying IOSd memory. The rootkit could hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks targeted older Linux hosts lacking endpoint detection response, where fileless components could disappear after reboot, yet still enable lateral movement. Trend Research recovered multiple exploit variants for 32-bit and 64-bit platforms. The operation impacted Cisco 9400 series, 9300 series, and legacy 3750G devices. Cisco provided forensic support that helped confirm affected models and assisted the investigation. The attacks involved a Telnet variant used to permit arbitrary memory access. Cisco has also patched a vulnerability in its Identity Services Engine (ISE) network access control solution, with public proof-of-concept exploit code, that can be abused by attackers with admin privileges. The security flaw (CVE-2026-20029) affects Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) regardless of device configuration, and remote attackers with high privileges can exploit it to access sensitive information on unpatched devices. Cisco strongly recommends upgrading to fixed software releases to fully address the vulnerability. Cisco also addressed multiple IOS XE vulnerabilities that allow unauthenticated, remote attackers to restart the Snort 3 Detection Engine. Cisco warned customers in December that a Chinese threat group tracked as UAT-9686 is exploiting a maximum-severity Cisco AsyncOS zero-day (CVE-2025-20393) that's still awaiting a patch in attacks targeting Secure Email and Web Manager (SEWM) and Secure Email Gateway (SEG) appliances.

Open in new tab

Critical Out-of-Bounds Write Vulnerabilities in WatchGuard Firebox Firewalls Exploited in the Wild

Over 115,000 WatchGuard Firebox network security appliances remain exposed to critical remote code execution flaws, including CVE-2025-9242 and the newly disclosed CVE-2025-14733. These vulnerabilities allow remote attackers to execute code without authentication. WatchGuard has released patches and provided temporary workarounds for administrators who cannot immediately update their devices. The vulnerabilities are actively being exploited in the wild, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-9242 to its Known Exploited Vulnerabilities (KEV) catalog on November 13, 2025, based on evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are advised to apply WatchGuard's patches by December 3, 2025. The Shadowserver Foundation detected over 71,000 vulnerable devices as of October 17, 2025. As of November 12, 2025, over 54,300 Firebox instances remain vulnerable, with the U.S. having the highest number of vulnerable devices at 18,500. On December 22, 2025, Shadowserver found over 124,658 unpatched Firebox instances exposed online, with 117,490 still exposed the following day. CISA added CVE-2025-14733 to its KEV Catalog and ordered FCEB agencies to patch Firebox firewalls within a week, by December 26th.

Open in new tab