CISA Orders Federal Agencies to Adopt Risk-Based Vulnerability Patching
CISA issued Binding Operational Directive 26-04 requiring U.S. federal civilian agencies to prioritize vulnerability remediation by risk instead of treating all flaws as equally urgent. The directive tells agencies to rank vulnerabilities using four factors: whether the affected asset is public-facing, whether exploitation can be fully automated, whether compromise could enable full system takeover, and whether there is evidence of active exploitation, including inclusion in CISA’s Known Exploited Vulnerabilities catalog. Based on those criteria, agencies now face remediation deadlines ranging from three days for the highest-risk cases to 60 days for lower-priority flaws, while some low-risk issues may be deferred until a planned major system upgrade.
CISA said the overhaul is meant to help agencies “patch smarter, not harder” as AI shortens the time between disclosure and weaponization and defenders struggle with limited resources. Agencies must immediately update vulnerability management policies, revise remediation processes within 60 days, and fully implement the directive’s timelines within 180 days; vulnerabilities meeting all four criteria also require forensic triage to determine whether systems were already compromised before patching. CISA said an initial review at one large civilian agency found only about 1% of vulnerability instances would require the three-day response, while more than 60% could be deferred, and the agency urged private-sector organizations to adopt similar risk-based practices alongside hardening, segmentation, and phishing-resistant MFA.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CISA issues Binding Operational Directive 26-04
CISA issued BOD 26-04, requiring federal civilian agencies to prioritize vulnerability remediation using four risk criteria rather than treating all flaws as equally urgent. The directive sets remediation timelines ranging from three days for the highest-risk vulnerabilities to longer periods or deferral for lower-risk issues, and adds expectations for forensic triage to determine whether compromise occurred before patching.
CISA previews shift to risk-based vulnerability prioritization
Acting CISA Director Nick Andersen said the agency plans to issue a new binding operational directive that would move federal agencies away from blanket patching and toward prioritizing vulnerabilities based on risk factors such as exposure, exploitation, and operational impact. He also said CISA wants more granular prioritization discussions with critical infrastructure operators.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
23 references tracked. Mallory keeps watching after this page renders.
BOD 26-04: Risk-based Prioritization Shakes Up Compliance
guidepointsecurity.com
Open source炸了!限期3天修复漏洞,美国CISA大幅度压缩联邦机构高危漏洞整改时限 - FreeBuf网络安全行业门户
freebuf.com
Open sourceCISA Instructs Federal Agencies to Adopt Risk-Based Approach for Vulnerability Remediation
hipaajournal.com
Open sourceThe End of CVSS: Why CISA Just Rewrote the Rules of Vulnerability Management - TheCyberThrone
thecyberthrone.in
Open sourceNew CISA directive would reshape how agencies prioritize cyber risk, official says - Nextgov/FCW
nextgov.com
Open sourceCISA is rethinking how it prioritizes risks and vulnerabilities for feds, private sector | CyberScoop
cyberscoop.com
Open sourceCISA to transform how it assesses cyber vulnerabilities and risks, Andersen says | The Record from Recorded Future News
therecord.media
Open sourceBOD 26-04: Prioritizing Security Updates Based on Risk | CISA | Tod Beardsley
linkedin.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Federal Agencies Face Ongoing Risk from Unpatched Cisco ASA and Firepower Vulnerabilities
CISA has issued updated implementation guidance for Emergency Directive 25-03, highlighting that federal agencies are not fully patching critical vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firepower devices. Despite previous directives, CISA identified that some agencies reported devices as patched when, in fact, they were still running vulnerable software versions. The vulnerabilities, CVE-2025-20333 and CVE-2025-20362, continue to be actively exploited by advanced threat actors, prompting CISA to urge immediate corrective action and recommend the use of tools like RayDetect to check for evidence of compromise. The ongoing exploitation campaign has targeted federal civilian agencies since September, with CISA warning that incomplete patching leaves organizations exposed to significant risk. Agencies are directed to verify software versions, apply the minimum required updates, and follow additional mitigation steps if updates were applied after September 26, 2025. CISA has not confirmed whether any agencies have been breached but emphasizes the need for strict compliance to prevent further compromise. All organizations using Cisco ASA and Firepower devices are strongly encouraged to review and implement the latest guidance to mitigate ongoing threats.
Mar 21, 2026
CISA Emergency Directive on F5 Device Vulnerabilities Exploited by Nation-State Actors
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive requiring all federal agencies to immediately patch critical vulnerabilities in F5 devices and software following the discovery of a nation-state cyber intrusion. CISA identified that a sophisticated threat actor, linked to China, has been actively exploiting vulnerabilities in F5 products, posing an imminent threat to federal networks. The vulnerabilities allow attackers to gain unauthorized access to embedded credentials and API keys, which can be leveraged to move laterally within affected networks. This access enables the exfiltration of sensitive data and the establishment of persistent access, potentially resulting in a full compromise of targeted information systems. F5 disclosed that the threat actor had maintained long-term, persistent access to its BIG-IP development environment and engineering knowledge management platforms, leading to the exfiltration of files. CISA’s Emergency Directive 26-01 mandates that all Federal Civilian Executive Branch (FCEB) agencies apply the latest vendor-provided updates to at-risk F5 devices and software, including F5OS, BIG-IP TMOS, BIG-IQ, and BNK / CNF, by October 22, 2025. Agencies are also instructed to follow F5’s Quarterly Security Notification for further mitigation steps. The directive was issued despite ongoing challenges such as a government shutdown and the lapse of the Cybersecurity Information Sharing Act of 2015, underscoring the urgency and severity of the threat. CISA’s acting director emphasized the alarming ease with which these vulnerabilities can be exploited and warned that the risks extend beyond federal agencies to any organization using F5 technology. The agency highlighted the potential for catastrophic compromise of critical information systems if the vulnerabilities are not addressed promptly. The directive is part of a broader effort to protect federal networks from nation-state adversaries and to ensure the security of sensitive government data. CISA’s response follows a pattern of nation-state actors targeting widely used enterprise technologies to gain access to high-value networks. The agency’s public statements and technical guidance stress the importance of immediate action and cross-sector vigilance. F5’s own disclosures and cooperation with CISA have been critical in identifying the scope of the intrusion and the necessary remediation steps. The incident has raised concerns about the security of supply chains and the potential for similar attacks on other technology vendors. Federal agencies are being closely monitored for compliance with the directive, and CISA is providing ongoing support and threat intelligence updates. The event highlights the persistent and evolving nature of nation-state cyber threats targeting critical infrastructure and government systems.
Mar 21, 2026
CISA Flags Actively Exploited Vulnerabilities in SolarWinds Web Help Desk and Major Platforms
**CISA added multiple vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog**, triggering mandatory remediation timelines for U.S. federal civilian agencies. The newly listed issues include an actively exploited flaw in **SolarWinds Web Help Desk** (`CVE-2025-40536`) with an accelerated patch deadline, alongside additional KEV additions affecting **Apple** platforms (iOS, macOS, tvOS, watchOS, visionOS), **Microsoft** products, and **Notepad++**. Apple stated it was aware of reports the issue “may have been exploited in an extremely sophisticated attack against specific targeted individuals,” with **Google Threat Analysis Group** credited with discovery, underscoring continued targeting of high-value users via mobile/endpoint zero-days. Separate reporting highlighted the broader operational context driving these directives: **Microsoft’s February security update** addressed **59 vulnerabilities**, including **six zero-days under active exploitation**, reinforcing that exploit timelines are compressing and patching is increasingly a “defense sprint.” In parallel, CISA also moved to reduce systemic exposure at the perimeter by ordering agencies to **remove unsupported network edge devices** (e.g., firewalls/routers) within a year, reflecting concern that end-of-support infrastructure and rapidly weaponized vulnerabilities are converging into a persistent, high-impact federal risk.
Mar 21, 2026