A Practical Guide to Complying with CISA BOD 26-02 (and Why Private Sector Should Too)

🎙️ Related Podcast: Warding the Walls: Ransomware, Zero Trust, and the Fight for Critical Infrastructure

The Wake-Up Call You Can’t Ignore

On February 5, 2026, CISA dropped a bombshell: Binding Operational Directive 26-02 mandates that all federal agencies identify and remove end-of-life (EOL) edge devices from their networks within 18 months. No extensions. No exceptions.

If you’re in the private sector, you might think this doesn’t apply to you. You’d be wrong—at least strategically.

Here’s the reality: the same nation-state hackers that prompted this directive don’t care whether you’re a government agency or a Fortune 500 company. Salt Typhoon, the China-linked APT group behind the directive’s urgency, has already breached over 600 organizations across 80 countries. Their weapon of choice? Exploiting vulnerabilities in firewalls, routers, VPN gateways, and other edge devices that organizations forgot to update—or couldn’t update because the vendor stopped supporting them.

This guide is your playbook for:

  • Understanding what BOD 26-02 actually requires- Finding every EOL edge device hiding in your network- Auditing their configurations for critical vulnerabilities- Building a replacement plan that doesn’t break the bank

Understanding the Threat: Why Edge Devices Are Under Attack

Your firewall might be the easiest way into your network.

Edge devices sit at the boundary between your internal network and the hostile internet. They’re designed to keep attackers out. But when they’re running outdated, unpatched, or end-of-life software, they become the very doors attackers walk through.

Salt Typhoon: The Campaign That Changed Everything

Salt Typhoon (also tracked as GhostEmperor, Operator Panda, RedMike, UNC5807) is a China-linked APT group that has been systematically exploiting edge devices since at least 2019:

Metric Value

Organizations Breached 600+ confirmed

Countries Affected 80+

U.S. Organizations 200+

Primary Targets Telecommunications, government, transportation, military

Their Attack Playbook

  1. Exploit publicly-known vulnerabilities in edge devices (often CVEs months or years old)2. Modify device configurations for persistent backdoor access3. Add GRE tunnels for stealthy data exfiltration4. Capture TACACS+ traffic to harvest admin credentials5. Pivot laterally through trusted network connections

The key insight: they’re not using zero-days. They’re exploiting known vulnerabilities in devices that haven’t been patched—often because they can’t be patched because the vendor no longer supports them.

According to CISA, edge device vulnerability exploitation increased 8x from 2024 to 2025. Mandiant’s M-Trends 2025 report found that 21% of ransomware attacks now use vulnerability exploitation as their initial access vector.

CISA BOD 26-02: What It Requires

The Timeline

Deadline Requirement

Immediate Update all edge devices running EOS software to vendor-supported versions

3 months Complete inventory of all devices on CISA’s EOS Edge Device List

12 months Decommission devices with EOS dates before this deadline

18 months Remove ALL identified EOS edge devices from networks

24 months Establish continuous discovery process for lifecycle management

Devices Covered

  • Firewalls (next-gen and traditional)- Routers and switches (especially internet-facing)- VPN gateways and concentrators- Load balancers- Wireless access points- Network security appliances (IDS/IPS, web proxies)- IoT edge devices- Software-defined network components

Exclusions: Operational Technology (OT) devices and FedRAMP-authorized cloud services.

“The imminent threat of exploitation to agency information systems running EOS edge devices is substantial and constant, resulting in a significant threat to federal property.” — CISA BOD 26-02

Recent Edge Device CVEs: The Hit List

Before we dive into tools, here’s what we’re defending against—the vulnerabilities that nation-state actors and ransomware gangs are actively exploiting:

Actively Exploited Edge Device CVEs (2024-2025)

CVE Vendor Product CVSS Description Status

CVE-2024-3400 Palo Alto PAN-OS 10.0 Command Injection via GlobalProtect Salt Typhoon

CVE-2023-20198 Cisco IOS XE 10.0 Web UI Privilege Escalation Multiple APTs

CVE-2024-23113 Fortinet FortiOS 9.8 RCE via Format String Ransomware

CVE-2025-20393 Cisco AsyncOS 10.0 Zero-Day RCE China APT

CVE-2025-22457 Ivanti Connect Secure 9.0 Buffer Overflow RCE UNC5221

CVE-2025-0282 Ivanti Connect Secure 9.0 Stack Buffer Overflow Multiple

CVE-2024-21762 Fortinet FortiOS 9.6 Out-of-bounds Write Ransomware

CVE-2024-21887 Ivanti Connect Secure 9.1 Command Injection Salt Typhoon

CVE-2023-46805 Ivanti Connect Secure 8.2 Authentication Bypass Salt Typhoon

CVE-2018-0171 Cisco IOS 9.8 Smart Install RCE Salt Typhoon

Notice that last one: CVE-2018-0171 is from 2018—eight years ago—and Salt Typhoon is still successfully exploiting it.

Why EOL Devices Are Especially Dangerous

When a device reaches end-of-life:

  1. No patches are released for newly discovered vulnerabilities2. Existing exploits remain viable indefinitely3. Zero-days cannot be fixed, making the device permanently compromised4. Attackers specifically target EOL devices because the vulnerability window is permanent

The Tool Stack: Discovery and Auditing

Quick Reference: Tool Comparison

Tool Type Best For EOL Tracking Config Audit Free Tier

runZero Discovery Continuous asset inventory Partial No 256 assets

Nmap Discovery Deep network scans No Limited Full

Titania Nipper Audit Compliance-grade audits No Excellent No

nipper-ng Audit Free config auditing No Good Full

ManageEngine NCM Lifecycle EOL date tracking Excellent Partial Limited

Step 1: Network Discovery and Inventory

You can’t secure what you don’t know exists.

Created by HD Moore (creator of Metasploit), runZero excels at finding devices other scanners miss using unauthenticated scanning with deep fingerprinting.

Installing the runZero Explorer:

# Download the Explorer for Linux
curl -o runzero-explorer https://download.runzero.com/stable/linux-amd64/runzero-explorer
chmod +x runzero-explorer

# Run a scan
./runzero-explorer \
  --token YOUR_ORGANIZATION_TOKEN \
  --name "Edge Device Discovery" \
  --networks 10.0.0.0/8,192.168.0.0/16 \
  --rate 1000

Query for Edge Devices:

type:firewall                           # Find all firewalls
type:router                             # Find all routers
hw.vendor:Cisco                         # Find Cisco devices
has:vulnerabilities AND type:firewall   # Firewalls with known vulns

Option B: Nmap (For Deep Dives and Scripting)

Nmap is the gold standard for network reconnaissance. If you’re new to network scanning, check out our Introduction to Networking Concepts for Hackers to understand the fundamentals before diving in.

# Discover hosts with OS detection
sudo nmap -sS -O -T4 10.0.0.0/24 -oX edge-discovery.xml

# Service detection on common edge device ports
sudo nmap -sV -sC -p22,23,80,443,161,8080,8443 10.0.0.0/24

# Detect Cisco Smart Install (CVE-2018-0171 vulnerable)
nmap -p4786 --script cisco-smart-install 10.0.0.0/24

# SNMP enumeration for device info
nmap -sU -p161 --script snmp-sysdescr 10.0.0.0/24

# Full port scan of known edge devices
sudo nmap -sS -sV -p- --min-rate 10000 192.168.1.1 -oX router-full.xml

Building Your Asset Inventory

Device IP Vendor Model Firmware EOL Date Risk Notes

Core Firewall 10.0.0.1 Palo Alto PA-3220 10.2.3 2028-12 Low Supported

Branch Router 192.168.1.1 Cisco ISR 2911 15.2(4)M 2023-09 Critical EOL - replace

VPN Gateway 10.0.0.5 Fortinet FG-60E 6.4.2 2027-06 Medium Needs update

Step 2: Configuration Security Auditing

Finding edge devices is only half the battle. You also need to know if they’re configured securely.

Option A: Titania Nipper (Enterprise-Grade)

The gold standard for network device configuration auditing:

  • Works completely air-gapped (parses config files, no network access required)- Supports 100+ device types: Cisco, Juniper, Fortinet, Palo Alto, Check Point, SonicWall- Maps findings to compliance frameworks: DISA STIG, RMF, PCI-DSS, CIS Benchmarks- Generates detailed remediation steps

Sample Finding:

FINDING: CVE-2018-0171 - Cisco Smart Install Enabled
SEVERITY: Critical (CVSS 9.8)
DEVICE: cisco-router-01.cfg

REMEDIATION:
Disable Smart Install by adding:
  no vstack

COMPLIANCE IMPACT:
- DISA STIG V-96265 (CAT I)
- CIS Cisco IOS 15 Benchmark 1.1.1

Option B: nipper-ng (Open Source Alternative)

The open-source fork of the original Nipper tool.

Installing on Kali Linux:

sudo apt update && sudo apt install nipper-ng

Running Audits:

# Audit Cisco IOS router
nipper-ng --ios-router --input=router-config.txt --output=router-audit.html

# Audit Cisco ASA firewall  
nipper-ng --asa --input=asa-config.txt --output=asa-audit.html

# Audit Juniper ScreenOS
nipper-ng --screenos --input=screenos-config.txt --output=screenos-audit.html

Supported Devices:

Flag Device Type

--ios-router Cisco IOS Router

--ios-switch Cisco IOS Switch

--asa Cisco ASA Firewall

--pix Cisco PIX Firewall

--screenos Juniper ScreenOS

--sonicos SonicWall SonicOS

Configuration Export Cheat Sheet

Cisco IOS/IOS XE:

terminal length 0
show running-config

Cisco ASA:

terminal pager 0
more system:running-config

Fortinet FortiGate:

config system console
    set output standard
end
show full-configuration

Palo Alto PAN-OS:

set cli config-output-format set
show config running

Step 3: EOL/EOS Lifecycle Tracking

ManageEngine Network Configuration Manager

ManageEngine NCM includes dedicated EOL/EOS tracking that syncs with vendor databases:

  • Automatic sync with Cisco, Juniper, Fortinet, Palo Alto EOL databases- Alerts when devices approach end-of-support- Offline mode for air-gapped networks

Sample Report:

Device Vendor Model Version EOL Date Days Until EOL Status

fw-01 Cisco ASA 5515 9.8(4) 2024-09-30 -496 EXPIRED

sw-core Cisco 3850 16.6.2 2026-10-01 236 Warning

vpn-gw Fortinet FG-60E 6.4.12 2027-06-01 479 OK

Manual Tracking with Vendor Resources

Vendor EOL Information URL

Cisco cisco.com/c/en/us/products/eos-eol-policy.html

Fortinet support.fortinet.com/Information/ProductLifeCycle.aspx

Palo Alto paloaltonetworks.com/services/support/end-of-life-announcements

Juniper support.juniper.net/support/eol/

Multi-Vendor layer23-switch.com/eol-eosl-tool/

Step 4: Replacement Planning and Prioritization

Prioritization Framework

Priority 1: Critical (Replace Within 30 Days)

  • Internet-facing devices- Devices with known actively-exploited CVEs- VPN gateways handling remote access- Devices in flat networks with no segmentation

Priority 2: High (Replace Within 90 Days)

  • Devices handling sensitive data (PCI, HIPAA)- Core infrastructure (backbone routers, primary firewalls)

Priority 3: Medium (Replace Within 6 Months)

  • Internal-only devices with segmentation- Branch office equipment with compensating controls

Priority 4: Low (Replace Within 12-18 Months)

  • Lab/test equipment- Redundant/backup devices

Building the Business Case

Quantify the Risk:

Salt Typhoon Impact: 600+ organizations breached
Average breach cost (IBM 2025): $4.88 million
Cost to replace 15 EOL devices: ~$175,000 (CapEx)
Cost of breach investigation & remediation: $500K - $5M+
ROI on proactive replacement: 3x - 28x

Compliance Angle:

  • NIST 800-53 SI-2: Requires patching (impossible for EOL)- PCI-DSS 6.2: Requires vendor-supported systems- HIPAA: Must document and remediate risks- DFARS 252.204-7012: Adequate security for CUI

Compensating Controls: When You Can’t Replace Yet

⚠️ Warning: Compensating controls are temporary risk mitigations, not permanent solutions. They should be used as a bridge during the replacement process, not as an excuse to delay EOL device retirement.

Network Segmentation

Cisco Example - Isolating Legacy Devices:

vlan 999
 name LEGACY_EOL_ISOLATED
!
interface GigabitEthernet0/1
 switchport mode access
 switchport access vlan 999
!
ip access-list extended LEGACY_ISOLATION
 permit tcp any host 10.0.0.5 eq 22
 deny ip any any log
!
interface Vlan999
 ip address 10.99.99.1 255.255.255.0
 ip access-group LEGACY_ISOLATION in

Virtual Patching via IPS

Snort Rule for CVE-2018-0171:

alert tcp any any -> $HOME_NET 4786 (msg:"EXPLOIT Cisco Smart Install"; 
    flow:to_server,established; 
    content:"|00 00 00 01|"; depth:4;
    sid:1000001; rev:1;)

Enhanced Monitoring

Enhanced logging is critical for detecting when EOL devices are being actively exploited. For a comprehensive guide to analyzing these logs when an incident occurs, see our Windows Incident Response Guide.

Cisco Syslog Configuration:

logging buffered 64000 informational
logging host 10.0.0.100 transport udp port 514
logging trap informational
login on-success log
login on-failure log

Access Restrictions and Hardening

! Only allow management from specific IPs
access-list 10 permit 10.0.0.50
access-list 10 deny any log

line vty 0 4
 access-class 10 in
 transport input ssh
 exec-timeout 5 0

! Disable dangerous services
no cdp run
no ip http server
no vstack
no service finger

Why Private Sector Should Adopt BOD 26-02 Standards

1. You Face the Same Threats

Salt Typhoon didn’t only target government agencies. Of their 600+ victims, the majority were private sector—telecoms, financial services, transportation. The threat actors don’t check whether you have a .gov domain.

2. Federal Requirements Become Industry Standards

  • NIST Cybersecurity Framework (2014) → Now required by many state laws- CISA Zero Trust Model → Adopted in healthcare, finance, critical infrastructure- FedRAMP → Baseline for enterprise SaaS vendors

BOD 26-02’s requirements will likely influence cyber insurance questionnaires, vendor security assessments, and regulatory updates. The private sector has seen the consequences of ignoring edge device security—organizations like Nike recently faced a 1.4TB data breach that exposed years of internal documents and intellectual property.

3. Due Diligence and Liability

When a breach occurs, lawyers ask: “What did you know, and when?”

If CISA has published explicit guidance that EOL edge devices are critical risk, and you chose to ignore it, you’ve created documentation showing:

  • Awareness of the risk- Decision not to remediate- Potential negligence in civil litigation

Timeline Action

Immediate Begin network-wide edge device inventory

30 days Identify all EOL devices and critical CVE exposure

60 days Implement compensating controls for high-risk EOL devices

90 days Establish EOL tracking process

6 months Remediate Priority 1 devices

12 months Remediate Priority 2 devices

18 months Achieve zero EOL edge devices on perimeter

Conclusion: Your 90-Day Action Plan

Week 1-2: Discovery

  • Deploy runZero or conduct Nmap scans of entire network- [ ] Document all edge devices with vendor, model, firmware version

Week 3-4: Assessment

  • Export configurations from all edge devices- [ ] Run nipper-ng or Titania Nipper audits- [ ] Check each device against vendor EOL databases

Week 5-6: Prioritization

  • Create prioritized inventory (Critical/High/Medium/Low)- [ ] Identify devices with known exploited CVEs (check CISA KEV)- [ ] Begin building replacement business case

Week 7-8: Compensating Controls

  • Implement network segmentation for EOL devices- [ ] Enable enhanced logging and monitoring- [ ] Deploy IPS signatures for known exploits- [ ] Disable unused services on all edge devices

Week 9-12: Planning and Quick Wins

  • Submit budget request for Priority 1 replacements- [ ] Schedule replacement for critical CVE devices- [ ] Establish monthly EOL tracking review- [ ] Brief leadership on remediation progress

Resources

Official Sources

Tools Referenced

Key Takeaways

  1. The threat is real and immediate. Salt Typhoon has breached 600+ organizations using edge device vulnerabilities.2. EOL devices cannot be fixed. When a vendor stops support, vulnerabilities become permanent.3. Visibility comes first. You can’t secure what you don’t know exists.4. Prioritize ruthlessly. Internet-facing devices with known exploited CVEs go first.5. Private sector should care. BOD 26-02 may not legally apply to you, but the threat it addresses certainly does.

The attackers are already scanning your network, looking for that forgotten router running seven-year-old firmware. The question is whether you’ll find it first.

About the Author: This guide was written by security practitioners who’ve spent years helping organizations identify and remediate vulnerable edge infrastructure. For more practical security guides, check out our Introduction to Networking Concepts for Hackers and Building a Home Cybersecurity Lab.