CISA Binding Operational Directive to Remove End-of-Life Edge Devices Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive (BOD) ordering federal civilian agencies to identify and remove end-of-life/end-of-service (EOS), internet-facing edge devices—citing widespread active exploitation by sophisticated threat actors, including activity with ties to nation-states. CISA warned that unsupported devices remain in service long after vendors stop providing firmware and security updates, making them persistently vulnerable to exploitation and a recurring entry point for high-impact intrusions.
The directive requires agencies to inventory unsupported edge devices within three months, decommission/replace identified EOS devices on an accelerated timeline (reported as within one year for removal), and establish ongoing processes for continuous discovery/monitoring to prevent unsupported technologies from re-entering networks. Device categories called out include common perimeter and network infrastructure such as firewalls, routers, load balancers, switches, wireless access points, network security appliances, and IoT edge devices; CISA is also producing a government-wide list of EOS edge devices to guide compliance. Officials emphasized the action is not tied to a single incident, but reflects the sustained risk and observed exploitation of unsupported edge infrastructure across federal environments, while encouraging non-federal organizations to adopt similar practices.
Related Entities
Sources
5 more from sources like bleeping computer, cso online, nextgov, the record media and cyberscoop
Related Stories
CISA Emergency Directive to Mitigate Exploited Vulnerabilities in Cisco SD-WAN
CISA issued **Emergency Directive ED 26-03** directing U.S. federal civilian executive branch (FCEB) agencies to **mitigate vulnerabilities affecting Cisco SD-WAN systems**, reflecting active risk to government networks and aligning with CISA’s broader push to drive rapid remediation of exploited flaws. CISA’s **Known Exploited Vulnerabilities (KEV) Catalog** provides the operational backbone for this action by listing vulnerabilities confirmed as exploited in the wild and setting expectations for prioritized patching and mitigation; ED 26-03 is consistent with the KEV-driven approach of requiring agencies to identify affected assets and remediate within mandated timelines to reduce exposure from real-world exploitation.
2 weeks agoCISA Adds Array Networks and D-Link Vulnerabilities to KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: a command injection flaw in Array Networks ArrayOS AG VPN devices (CVE-2025-66644) and a buffer overflow in D-Link Go-RT-AC750 routers (CVE-2022-37055). The Array Networks vulnerability affects versions before 9.4.5.9 and has been exploited since August 2025, primarily targeting Japanese organizations, allowing attackers to deploy PHP webshells and create rogue user accounts. The D-Link vulnerability impacts end-of-life routers, enabling remote code execution and lateral movement, with no official patches available, prompting recommendations for device retirement and additional mitigations. Federal agencies are mandated under Binding Operational Directive (BOD) 22-01 to remediate these vulnerabilities by specified deadlines, while all organizations are strongly urged to prioritize patching and mitigation efforts. CISA emphasizes the persistent risk posed by vulnerabilities in VPN appliances and legacy routers, recommending immediate action such as patching, isolating affected hardware, and integrating KEV feeds into vulnerability management processes to reduce exposure to active cyber threats.
3 months ago
CISA Flags Actively Exploited Vulnerabilities in SolarWinds Web Help Desk and Major Platforms
**CISA added multiple vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog**, triggering mandatory remediation timelines for U.S. federal civilian agencies. The newly listed issues include an actively exploited flaw in **SolarWinds Web Help Desk** (`CVE-2025-40536`) with an accelerated patch deadline, alongside additional KEV additions affecting **Apple** platforms (iOS, macOS, tvOS, watchOS, visionOS), **Microsoft** products, and **Notepad++**. Apple stated it was aware of reports the issue “may have been exploited in an extremely sophisticated attack against specific targeted individuals,” with **Google Threat Analysis Group** credited with discovery, underscoring continued targeting of high-value users via mobile/endpoint zero-days. Separate reporting highlighted the broader operational context driving these directives: **Microsoft’s February security update** addressed **59 vulnerabilities**, including **six zero-days under active exploitation**, reinforcing that exploit timelines are compressing and patching is increasingly a “defense sprint.” In parallel, CISA also moved to reduce systemic exposure at the perimeter by ordering agencies to **remove unsupported network edge devices** (e.g., firewalls/routers) within a year, reflecting concern that end-of-support infrastructure and rapidly weaponized vulnerabilities are converging into a persistent, high-impact federal risk.
1 months ago