CISA Orders Agencies to Patch and Replace End-of-Life Devices, Citing Active Exploitation

Legacy network hardware—routers, switches, firewalls—often lingers in government environments long after vendors cease issuing patches. These end‑of‑support (EOS) devices become low‑cost, high‑impact entry points for sophisticated adversaries, especially when they expose internet‑facing services. By publicly acknowledging ongoing exploitation campaigns, CISA underscores the urgency of addressing this hidden risk, aligning with broader federal initiatives to harden the supply chain and reduce attack surface across critical infrastructure.

The new binding operational directive (BOD‑26‑02) sets a phased timeline: a three‑month window for agencies to catalog all EOS edge devices, a twelve‑month period to procure and install replacements, and an eighteen‑month deadline to fully retire the legacy equipment. Agencies must also upgrade any still‑supported devices to current firmware without disrupting mission‑critical operations. While CISA does not levy monetary penalties, it will collaborate with the Office of Management and Budget to monitor progress, leveraging existing procurement cycles and fiscal year planning to spread costs and minimize operational impact.

Beyond the federal sphere, the directive serves as a de‑facto industry standard. Private enterprises that share similar technology stacks can adopt the same inventory and remediation cadence, mitigating the same threat vectors that have plagued government networks. As nation‑state actors continue to target outdated infrastructure, proactive replacement of EOS devices becomes a cornerstone of cyber resilience, reinforcing the broader push toward zero‑trust architectures and continuous monitoring across both public and private sectors.