CISA orders agencies to patch and replace end-of-life devices, citing active exploitation

The directive gives agencies three months to identify unsupported edge devices, a year to begin removing them and 18 months to eliminate them entirely.

The Cybersecurity and Infrastructure Security Agency said Thursday it detected widespread exploitation of unsupported, internet-facing devices by advanced hackers and ordered federal agencies to begin a monthslong process of removing and replacing that outdated equipment.

The binding operational directive focuses on edge devices, many of which remain in service long after software vendors stop issuing security updates, increasing the risk of exploitation.

“The imminent threat of exploitation to agency information systems running EOS edge devices is substantial and constant, resulting in a significant threat to federal property. CISA is aware of widespread exploitation campaigns by advanced threat actors targeting EOS edge devices,” the directive says.

On a call with reporters, Nick Andersen, executive assistant director for cybersecurity at CISA, said that some of the hackers have ...