CISA orders agencies to patch and replace end-of-life devices, citing active exploitation
CISA orders agencies to patch and replace end-of-life devices, citing active exploitation
Publish Date: 2026-02-05 14:48:00
Source Domain: www.nextgov.com
The Cybersecurity and Infrastructure Security Agency said Thursday it detected widespread exploitation of unsupported, internet-facing devices by advanced hackers and ordered federal agencies to begin a monthslong process of removing and replacing that outdated equipment.
The binding operational directive focuses on edge devices, many of which remain in service long after software vendors stop issuing security updates, increasing the risk of exploitation.
“The imminent threat of exploitation to agency information systems running EOS edge devices is substantial and constant, resulting in a significant threat to federal property. CISA is aware of widespread exploitation campaigns by advanced threat actors targeting EOS edge devices,” the directive says.
On a call with reporters, Nick Andersen, executive assistant director for cybersecurity at CISA, said that some of the hackers have ties to nation state adversaries.
“We’re encouraging other organizations to follow our lead and adopt similar actions to strengthen the security of their edge devices. Put simply, unsupported devices should never remain on enterprise networks,” he said. The directive isn’t a response to any one compromise, he added, though he declined to name specific incidents that motivated the directive’s issuance.
Legacy systems are a repeated, common avenue that government agencies continue to struggle to secure, making them attractive targets for advanced threat actors once security updates lapse. At any point in time, hackers may be targeting federal computer networks, which frequently house sensitive data tied to government operations, public services and national functions.
The directive gives agencies three months to identify unsupported edge devices, a year to begin removing them and 18 months to eliminate them entirely, before requiring continuous monitoring to prevent outdated systems from returning to federal networks.
Agencies must immediately update any vendor-supported edge…
