CISA Binding Operational Directive to Remove End-of-Life Edge Devices Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive (BOD) ordering federal civilian agencies to identify and remove end-of-life/end-of-service (EOS), internet-facing edge devices—citing widespread active exploitation by sophisticated threat actors, including activity with ties to nation-states. CISA warned that unsupported devices remain in service long after vendors stop providing firmware and security updates, making them persistently vulnerable to exploitation and a recurring entry point for high-impact intrusions.
The directive requires agencies to inventory unsupported edge devices within three months, decommission/replace identified EOS devices on an accelerated timeline (reported as within one year for removal), and establish ongoing processes for continuous discovery/monitoring to prevent unsupported technologies from re-entering networks. Device categories called out include common perimeter and network infrastructure such as firewalls, routers, load balancers, switches, wireless access points, network security appliances, and IoT edge devices; CISA is also producing a government-wide list of EOS edge devices to guide compliance. Officials emphasized the action is not tied to a single incident, but reflects the sustained risk and observed exploitation of unsupported edge infrastructure across federal environments, while encouraging non-federal organizations to adopt similar practices.
Timeline
Feb 5, 2026
CISA creates nonpublic EOS edge device list and begins compliance support
CISA created an end-of-support edge device list to help agencies identify affected products, versions and support dates, but said the list would not be published publicly. The agency said it developed the directive with OMB and would track agency compliance while providing implementation support such as guidance and reporting templates.
Feb 5, 2026
Directive sets inventory, replacement and lifecycle-management deadlines
The directive requires agencies to inventory end-of-support edge devices within three months, decommission or replace unsupported devices within one year, and establish an ongoing process within two years to identify devices approaching or reaching end of support. It also calls for immediate upgrades where hardware is still vendor-supported but running unsupported software, when operations will not be disrupted.
Feb 5, 2026
CISA issues BOD 26-02 on unsupported federal edge devices
On Feb. 5, CISA issued Binding Operational Directive 26-02 ordering U.S. federal civilian executive branch agencies to address end-of-support edge devices because of widespread exploitation risk. The agency said unsupported internet-facing devices such as firewalls, routers, load balancers and similar perimeter systems are being targeted by advanced and in some cases nation-state-linked actors.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Sources
5 more from sources like bleeping computer, cso online, nextgov, the record media and cyberscoop
Related Stories
CISA Emergency Directive to Mitigate Exploited Vulnerabilities in Cisco SD-WAN
CISA issued **Emergency Directive ED 26-03** directing U.S. federal civilian executive branch (FCEB) agencies to **mitigate vulnerabilities affecting Cisco SD-WAN systems**, reflecting active risk to government networks and aligning with CISA’s broader push to drive rapid remediation of exploited flaws. CISA’s **Known Exploited Vulnerabilities (KEV) Catalog** provides the operational backbone for this action by listing vulnerabilities confirmed as exploited in the wild and setting expectations for prioritized patching and mitigation; ED 26-03 is consistent with the KEV-driven approach of requiring agencies to identify affected assets and remediate within mandated timelines to reduce exposure from real-world exploitation.
1 months ago
CISA Adds Array Networks and D-Link Vulnerabilities to KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: a command injection flaw in Array Networks ArrayOS AG VPN devices (CVE-2025-66644) and a buffer overflow in D-Link Go-RT-AC750 routers (CVE-2022-37055). The Array Networks vulnerability affects versions before 9.4.5.9 and has been exploited since August 2025, primarily targeting Japanese organizations, allowing attackers to deploy PHP webshells and create rogue user accounts. The D-Link vulnerability impacts end-of-life routers, enabling remote code execution and lateral movement, with no official patches available, prompting recommendations for device retirement and additional mitigations. Federal agencies are mandated under Binding Operational Directive (BOD) 22-01 to remediate these vulnerabilities by specified deadlines, while all organizations are strongly urged to prioritize patching and mitigation efforts. CISA emphasizes the persistent risk posed by vulnerabilities in VPN appliances and legacy routers, recommending immediate action such as patching, isolating affected hardware, and integrating KEV feeds into vulnerability management processes to reduce exposure to active cyber threats.
1 months ago
CISA Flags Actively Exploited Vulnerabilities in SolarWinds Web Help Desk and Major Platforms
**CISA added multiple vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog**, triggering mandatory remediation timelines for U.S. federal civilian agencies. The newly listed issues include an actively exploited flaw in **SolarWinds Web Help Desk** (`CVE-2025-40536`) with an accelerated patch deadline, alongside additional KEV additions affecting **Apple** platforms (iOS, macOS, tvOS, watchOS, visionOS), **Microsoft** products, and **Notepad++**. Apple stated it was aware of reports the issue “may have been exploited in an extremely sophisticated attack against specific targeted individuals,” with **Google Threat Analysis Group** credited with discovery, underscoring continued targeting of high-value users via mobile/endpoint zero-days. Separate reporting highlighted the broader operational context driving these directives: **Microsoft’s February security update** addressed **59 vulnerabilities**, including **six zero-days under active exploitation**, reinforcing that exploit timelines are compressing and patching is increasingly a “defense sprint.” In parallel, CISA also moved to reduce systemic exposure at the perimeter by ordering agencies to **remove unsupported network edge devices** (e.g., firewalls/routers) within a year, reflecting concern that end-of-support infrastructure and rapidly weaponized vulnerabilities are converging into a persistent, high-impact federal risk.
1 months ago