US and UK government agencies have warned that discontinued edge devices, which include firewalls, IoT gear, load balancers, and other network appliances, pose significant risk to federal networks and enterprise environments as they no longer receive security updates. The alert, issued as part of a fresh notice, states that EOS devices can be exploited by state-sponsored threat actors to gain access, persist, and steal data, stressing that such devices may also cause compatibility issues that disrupt productivity.
According to the agencies, CISA, the FBI, and UK’s NCSC, nation-state actors can use EOS edge devices as entry points into modern environments, heightening the risk to organisations’ data and services. Per Binding Operational Directive 26-02, federal agencies are urged to update to supported software versions and to inventory devices on CISA’s EOS edge device list within three months, with decommissioning planned within a year and ongoing discovery processes to continue.
The directive also requires agencies to decommission identified EOS devices within 18 to 24 months, underscoring the urgency of replacing discontinued edge devices to bolster security posture.