The U.S. Cybersecurity and Infrastructure Security Agency issued a mandatory order Thursday requiring federal agencies to identify and remove network edge devices that no longer receive security updates from manufacturers.
The directive, BOD 26-02, targets routers, firewalls, VPN concentrators, and other edge devices that have reached end-of-support status. CISA warned these outdated devices leave federal systems vulnerable to "widespread exploitation campaigns by advanced threat actors," including nation-state groups with ties to Russia and China.
What Happened?
CISA's binding operational directive establishes aggressive timelines for federal civilian executive branch agencies:
- Immediate action required: Update any vendor-supported edge devices currently running end-of-support software
- 3 months: Complete inventory of all end-of-support devices on CISA's list and report findings
- 12 months: Decommission all devices that reached end-of-support before the directive's issuance date
- 18 months: Replace all remaining end-of-support edge devices with vendor-supported equipment
- 24 months: Establish continuous discovery processes to track devices approaching end-of-support status
Nick Andersen, CISA's executive assistant director for cybersecurity, told reporters the directive responds to ongoing exploitation by attackers "including those with ties to nation-states." He declined to name specific countries or incidents but confirmed the threat is "substantial and constant."
CISA created an end-of-support edge device list to help agencies identify vulnerable equipment but will not publish it publicly. Andersen noted that some agencies may need to invest in new devices, which could require multi-year budget planning.
The directive applies only to federal civilian agencies, but CISA strongly encourages state and local governments, critical infrastructure operators, and private sector organizations to follow the same guidance.
The Impact
Edge devices have become a primary attack vector for both nation-state hackers and cybercriminal groups over the past two years.
Russian threat actors linked to GRU's Sandworm unit shifted tactics in 2025, moving away from expensive zero-day exploitation toward targeting misconfigured and unsupported edge devices, according to Amazon Threat Intelligence research published in December. The campaign primarily targeted North American and European energy sector organizations.
Chinese-linked groups also focused heavily on edge device vulnerabilities throughout 2024. The Volt Typhoon campaign compromised thousands of small-office/home-office routers and firewalls, with a particular focus on end-of-life equipment from Cisco and Netgear.
Recent high-profile attacks demonstrate the risk:
- Ivanti Connect Secure VPNs: Mass exploitation of two zero-day vulnerabilities compromised thousands of devices in early 2024, including systems used by CISA itself
- Palo Alto Networks GlobalProtect: Vulnerabilities allowed remote code execution and multi-factor authentication bypass, exploited by nation-state actors and ransomware groups
- Cisco ASA devices: The ArcaneDoor campaign by nation-state actors exploited weaknesses in Adaptive Security Appliances, infiltrating government and industrial networks for long-term espionage
Edge devices are attractive targets because they sit at the network perimeter, have extensive reach into internal systems, and often integrate with identity management platforms. Once compromised, attackers can intercept credentials, move laterally, exfiltrate data, and establish persistent access.
Darktrace's 2024 threat intelligence report found that 40% of malicious activity in the first half of 2024 involved the exploitation of internet-facing devices. Four of the six most commonly exploited vulnerabilities affected security vendor products from Ivanti, Palo Alto Networks, and Fortinet.
The shift toward targeting unsupported devices reflects a troubling reality: attackers recognize that many organizations struggle to patch or replace edge devices due to operational constraints and budget limitations.
How to Avoid This
Organizations can't afford to wait for a breach to prioritize edge device security. Here's what security teams should do immediately:
Inventory All Edge Devices
Create a complete asset inventory of routers, firewalls, VPN gateways, load balancers, wireless access points, and network appliances. Document which devices are approaching end-of-support and when vendor support expires.
Check Vendor Support Status
Contact vendors to confirm support timelines for all edge devices. Many manufacturers publish end-of-life schedules, but some require direct inquiry. Budget for replacements before devices lose support.
Establish Lifecycle Management
Build a process for continuous discovery and tracking of edge devices. Set calendar reminders 12-18 months before end-of-support dates to allow time for budget approval and procurement.
Apply all available security updates to vendor-supported devices. CISA's directive requires immediate patching for devices running end-of-support software where updates exist and won't disrupt critical operations.
Replace Unsupported Devices
Don't wait for a mandate. Unsupported devices pose unacceptable risk regardless of whether you're required to remove them. Plan replacement cycles that align with vendor support timelines.
Monitor Configuration Security
Nation-state actors increasingly target misconfigured edge devices rather than exploiting vulnerabilities. Review management interface access, disable unnecessary services, change default credentials, and restrict remote access to management functions.
Separate Management Interfaces
Management interfaces for edge devices should not be directly accessible from the internet. Use dedicated management networks with strict access controls.
Test Incident Response Plans
Run tabletop exercises that simulate edge device compromise. Document procedures for rapid containment, evidence collection, and credential rotation if an edge device is suspected of compromise.
CISA published a joint fact sheet with the FBI and UK's National Cyber Security Centre providing additional guidance on protecting edge devices. The guidance applies to all organizations, not just federal agencies.
Andersen emphasized that while the directive targets federal agencies, the risk affects everyone. "Practicing good cyber hygiene starts with eliminating unsupported edge devices," he said. "Unsupported devices should never remain on enterprise networks."
Organizations that maintain end-of-support edge devices face an inevitable question: patch-or-perish. Nation-state actors discover vulnerabilities first, exploit them quietly for intelligence collection, then those exploits filter down to cybercriminal groups who use them in mass-scale attacks.
By the time a vulnerability becomes public knowledge, unpatched systems face attacks from multiple threat actors with varying levels of sophistication. Edge devices that can't receive patches become permanent liabilities.
