EoL devices drive vulnerabilities

A network edge device is the digital front door for traffic coming in from the internet, and security agencies say unsupported ones are now a standing break-in risk. On February 5, 2026, the Cybersecurity and Infrastructure Security Agency ordered federal civilian agencies to remove end-of-support edge devices from their networks. (cisa.gov) CISA, the Federal Bureau of Investigation, and the United Kingdom’s National Cyber Security Centre said end-of-support edge devices include firewalls, routers, load balancers, and virtual private network gateways. They said those products stop receiving firmware fixes, security patches, and other vendor updates once support ends. (cisa.gov) That changes the math for defenders. CISA said threat actors use unsupported edge devices to gain network access, keep a foothold, and move into newer systems that are still fully supported. (cisa.gov) The federal order, Binding Operational Directive 26-02, was issued on February 5, 2026 and tells agencies to inventory edge devices, identify which ones are end-of-support, update supported products to vendor-supported software, and remove unsupported hardware and software. CISA said the goal is to cut technical debt that has become a compromise risk. (cisa.gov) CISA’s public guidance now treats old perimeter gear as an exposure problem, not just a maintenance problem. Its edge-device page says end-of-support devices are “prime targets” because they no longer receive security updates, and it urges organizations to replace them immediately. (cisa.gov) The agency’s Known Exploited Vulnerabilities catalog tracks flaws already used in real intrusions, and it listed 1,559 entries when checked on April 13, 2026. CISA tells organizations to use that catalog to prioritize remediation and to discontinue products when mitigations are unavailable. (cisa.gov) Cisco’s own lifecycle policy shows why old hardware lingers. The company typically gives six months’ notice before end of sale, then continues some support for years, including up to five years of technical assistance center support for hardware after the end-of-sale date. (cisco.com) That long runway can leave devices physically present long after vendors have stopped improving them in meaningful ways. Cisco’s end-of-life listings span routers, switches, servers, and other product lines, underscoring how common lifecycle turnover is in enterprise networks. (cisco.com) Federal agencies have been pushed in this direction before during active incidents. In September 2025, CISA’s emergency directive on Cisco device compromises told agencies to disconnect end-of-support devices and upgrade the ones that would stay in service. (cisa.gov) The practical message is simple: if the box at the edge no longer gets fixes, patching programs alone will not close the gap. CISA’s 2026 directive turns hardware refreshes from procurement work into a security control. (cisa.gov)