The Cybersecurity and Infrastructure Security Agency has given federal agencies 18 months to remove all end-of-support edge devices from their networks, escalating its response to what security researchers describe as a fundamental shift in nation-state attack tactics, where attackers exploit network infrastructure rather than endpoints.
The binding operational directive, BOD 26-02, requires Federal Civilian Executive Branch (FCEB) agencies to inventory, update where possible, and ultimately replace firewalls, routers, VPN gateways, load balancers, and network security appliances that no longer receive vendor security patches. CISA warned that the threat from these unsupported devices is “substantial and constant.”
“Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks,” CISA Acting Director Madhu Gottumukkala said in the directive.
The directive requires FCEB agencies to immediately update any edge device running outdated software to vendor-supported versions where possible. Within three months, agencies must inventory all end-of-support devices using CISA’s EOS Edge Device List and report findings. Within 12 months, agencies must begin removing devices that have reached end-of-support dates. The 18-month deadline requires all unsupported edge devices to be permanently removed and replaced.
Why edge devices became prime targets
“Edge devices differ fundamentally from traditional IT assets, as they are often end of support, custom, OEM and process dependent,” Avinash Dev Nagumanthri, director analyst at Gartner, told CSO. “This makes discovery, patching, and replacement difficult under tight budgets while maintaining uptime.”
Network edge devices have become one of the top initial access vectors for state-affiliated cyberespionage groups and ransomware gangs. Research shows a dramatic increase in edge device exploitation, with network edge vulnerabilities seeing an 8x increase in exploitation activity. The 2025 Mandiant M-Trends report found that 21% of ransomware attacks featured vulnerability exploitation as the initial access vector.
CISA has documented nation-state campaigns targeting devices from Cisco, Fortinet, Palo Alto Networks, Ivanti, Juniper, and other vendors. The agency noted that these devices have become attractive targets because of their position at the network boundary, integration with identity management systems, and privileged access for lateral movement. Once compromised, they enable threat actors to intercept network traffic, harvest credentials, and exfiltrate sensitive data while evading traditional endpoint detection.
Nagumanthri noted that edge devices protecting critical infrastructure can have physical impacts when compromised, putting high-value systems in sectors like water and transportation at risk. “Nation-state actors are increasingly exploiting edge devices as entry points into infrastructure, threatening critical private sector operations.”
The directive follows two recent emergency directives. In September, CISA issued Emergency Directive 25-03 after threat actors exploited zero-day vulnerabilities in Cisco Adaptive Security Appliances, deploying persistent malware that survived reboots. In October, another emergency directive followed the compromise of F5 Networks’ development environment, where attackers exfiltrated BIG-IP source code.
Implementation hurdles
Sunil Varkey, advisor at Beagle Security, warns of implementation complexities. “The operational reality of removing legacy systems is not straightforward,” Varkey said. “Legacy devices continue to exist not by design, but by necessity.”
He pointed to orphaned systems that remain live and embedded in workflows but lack clear ownership, and operational technology environments where newer hardware or software versions are not available, compatible, or certified. The process requires asset discovery, risk assessment, procurement, configuration redesign, data migration, testing, and managed cutovers to avoid service disruption.
“A common challenge will be the presence of ‘orphaned’ or ‘ghost’ systems — devices that are live, embedded in workflows, but no longer clearly owned,” Varkey said. “These systems often persist because ‘they’ve always worked,’ even when no one fully understands their function.”
Private sector implications
While the directive applies only to federal civilian agencies, CISA strongly encourages private sector organizations to adopt similar measures. The exploitation campaigns targeting federal networks pose equivalent risks to critical infrastructure and commercial enterprises.
Nagumanthri recommended that organizations treat edge and cyber-physical systems as Tier-0 assets, enforce strong authentication, implement network segmentation, require vendor-supported firmware updates, and centralize logging to limit blast radius. For the private sector, he advocated structured lifecycle management with secure-by-design hardware, continuous monitoring, and controlled updates with rollback capabilities.
Varkey saw the directive as a catalyst for modernization beyond compliance. “While the short-term impact will be challenging, the outcome is a more secure, accountable, and defensible infrastructure — one better aligned with today’s threat realities and tomorrow’s operational needs.”
No Responses