The threat is the use of end-of-support (EOS) edge devices, such as firewalls, routers, and load balancers, which no longer receive security updates from vendors, creating a high-risk attack vector for initial network access and lateral movement by advanced threat actors. The article and supporting directives do not specify a single CVE, CVSS score, or affected version ranges, as the risk is systemic to any hardware or software past its vendor-supported lifecycle. The mandated remediation is the complete replacement of these unsupported devices with supported equipment, with federal agencies required to inventory them within three months and fully decommission those already past EOS within one year.
In this Help Net Security video, Jen Sovada, General Manager, Public Sector at Claroty, explains CISA’s Binding Operational Directive 26-02 and what it means for federal agencies. The directive requires agencies to inventory, report, decommission, and replace unsupported edge devices such as firewalls, routers, switches, load balancers, and wireless access points. Unsupported devices don’t receive security updates. This makes them high risk entry points for attackers. Agencies must identify these devices within three months and … More → The post Binding Operational Directive 26-02 sets deadlines for edge device replacement appeared first on Help Net Security .