CISA Binding Operational Directive to Remove End-of-Life Edge Devices Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive (BOD) ordering federal civilian agencies to identify and remove end-of-life/end-of-service (EOS), internet-facing edge devices—citing widespread active exploitation by sophisticated threat actors, including activity with ties to nation-states. CISA warned that unsupported devices remain in service long after vendors stop providing firmware and security updates, making them persistently vulnerable to exploitation and a recurring entry point for high-impact intrusions.
The directive requires agencies to inventory unsupported edge devices within three months, decommission/replace identified EOS devices on an accelerated timeline (reported as within one year for removal), and establish ongoing processes for continuous discovery/monitoring to prevent unsupported technologies from re-entering networks. Device categories called out include common perimeter and network infrastructure such as firewalls, routers, load balancers, switches, wireless access points, network security appliances, and IoT edge devices; CISA is also producing a government-wide list of EOS edge devices to guide compliance. Officials emphasized the action is not tied to a single incident, but reflects the sustained risk and observed exploitation of unsupported edge infrastructure across federal environments, while encouraging non-federal organizations to adopt similar practices.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CISA creates nonpublic EOS edge device list and begins compliance support
CISA created an end-of-support edge device list to help agencies identify affected products, versions and support dates, but said the list would not be published publicly. The agency said it developed the directive with OMB and would track agency compliance while providing implementation support such as guidance and reporting templates.
Directive sets inventory, replacement and lifecycle-management deadlines
The directive requires agencies to inventory end-of-support edge devices within three months, decommission or replace unsupported devices within one year, and establish an ongoing process within two years to identify devices approaching or reaching end of support. It also calls for immediate upgrades where hardware is still vendor-supported but running unsupported software, when operations will not be disrupted.
CISA issues BOD 26-02 on unsupported federal edge devices
On Feb. 5, CISA issued Binding Operational Directive 26-02 ordering U.S. federal civilian executive branch agencies to address end-of-support edge devices because of widespread exploitation risk. The agency said unsupported internet-facing devices such as firewalls, routers, load balancers and similar perimeter systems are being targeted by advanced and in some cases nation-state-linked actors.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
CISA pushes Federal agencies to retire end-of-support edge devices
securityaffairs.com
Open sourceCISA gives federal agencies one year to replace outdated edge devices | SC Media
scworld.com
Open sourceCISA Orders Removal of Active Network Edge Devices to Reduce Security Risks
cybersecuritynews.com
Open sourceCISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk
thehackernews.com
Open sourceCISA gives federal agencies 18 months to purge unsupported edge devices | CSO Online
csoonline.com
Open sourceCISA orders agencies to patch and replace end-of-life devices, citing active exploitation - Nextgov/FCW
nextgov.com
Open sourceCISA gives federal agencies one year to rip out end-of-life devices | The Record from Recorded Future News
therecord.media
Open sourceCISA tells agencies to stop using unsupported edge devices | CyberScoop
cyberscoop.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Orders Hunt for Cisco Device Compromise as New Exploited CVEs Mount
CISA issued **Emergency Directive 25-03** ordering federal civilian agencies to identify and mitigate potential compromise of Cisco devices, then followed with supplemental guidance covering core-dump collection and threat-hunting steps. The directive indicates concern that Cisco infrastructure may already have been breached and requires agencies to validate device integrity, investigate for signs of compromise, and take remediation actions to reduce ongoing risk. At the same time, CISA continued expanding its **Known Exploited Vulnerabilities** catalog with numerous newly listed flaws, including `CVE-2026-33634`, `CVE-2026-5281`, `CVE-2026-32201`, `CVE-2026-3502`, `CVE-2026-33017`, `CVE-2026-20131`, `CVE-2026-3909`, `CVE-2026-1603`, `CVE-2026-21385`, `CVE-2026-22719`, `CVE-2026-2441`, and `CVE-2026-1281`, alongside older but still exploited issues such as `CVE-2025-40551`, `CVE-2025-20393`, `CVE-2025-15556`, `CVE-2024-43468`, `CVE-2023-48788`, `CVE-2021-44529`, and `CVE-2021-39935`. The combined actions show U.S. authorities escalating warnings that active exploitation is broadening across enterprise technologies, with network appliances, email platforms, and internet-facing systems remaining priority targets for defenders.
May 25, 2026
CISA Orders Removal of End-of-Life Ivanti CSA After Active Exploitation
CISA warned that Ivanti **Cloud Services Appliance (CSA)** was being actively targeted and directed federal civilian agencies to either upgrade to a supported version or remove end-of-life devices from their networks. The order followed Ivanti’s release of a security update for CSA addressing **`CVE-2024-8190`**, while CISA said unsupported appliances posed heightened risk because they no longer receive security fixes and were being hit in multiple attacks. The action came amid broader concern over Ivanti appliance compromises, after earlier emergency guidance and vendor recovery steps tied to **`CVE-2023-46805`** and **`CVE-2024-21887`** showed how attackers could gain access and require full remediation measures. Together, the advisories underscored a continuing pattern in which internet-facing Ivanti appliances became high-priority targets, prompting agencies and enterprises to patch supported systems quickly and retire obsolete deployments.
May 25, 2026
CISA Emergency Directive to Mitigate Exploited Vulnerabilities in Cisco SD-WAN
CISA issued **Emergency Directive ED 26-03** directing U.S. federal civilian executive branch (FCEB) agencies to **mitigate vulnerabilities affecting Cisco SD-WAN systems**, reflecting active risk to government networks and aligning with CISA’s broader push to drive rapid remediation of exploited flaws. CISA’s **Known Exploited Vulnerabilities (KEV) Catalog** provides the operational backbone for this action by listing vulnerabilities confirmed as exploited in the wild and setting expectations for prioritized patching and mitigation; ED 26-03 is consistent with the KEV-driven approach of requiring agencies to identify affected assets and remediate within mandated timelines to reduce exposure from real-world exploitation.
Mar 21, 2026