Forty percent of all exploitation activity in 2025 targeted firewalls, routers, and VPN appliances. Not endpoints. Not cloud workloads. The devices organizations deploy specifically to protect their networks are now the primary way attackers get in.
Two stories from the past few weeks illustrate just how broken the situation has become, and why the usual advice to "just patch faster" misses the point entirely.
The Directive: Rip and Replace
On February 5, 2026, CISA issued Binding Operational Directive 26-02, ordering all Federal Civilian Executive Branch agencies to identify, decommission, and replace every end-of-support edge device on their networks. The scope is sweeping: firewalls, routers, switches, load balancers, VPN appliances, wireless access points, and network security appliances.
The timeline is aggressive. Agencies have three months to inventory all unsupported devices, 12 months to begin removal, and 18 months to eliminate them entirely. By February 2028, they must have continuous discovery processes running to catch devices as they age out of support.
"Unsupported devices pose serious risk to federal systems and should never remain on enterprise networks," said Madhu Gottumukkala, Acting CISA Director. The directive developed in coordination with OMB is one of the most ambitious cybersecurity mandates CISA has ever issued.
But here is the problem nobody is talking about: there is no funding attached. Agencies must find budget within existing allocations to replace potentially thousands of devices across hundreds of facilities. As Michael Bell, CEO of Suzu Labs, put it: "One year is aggressive for federal procurement, but the threat environment doesn't care about acquisition timelines."
The Proof: 36 Days of Silence
While CISA was drafting its directive about unsupported devices, a ransomware group was demonstrating that even fully supported, current-generation equipment is vulnerable.
On January 26, 2026, the Interlock ransomware group began exploiting CVE-2026-20131: a CVSS 10.0 remote code execution vulnerability in Cisco Secure Firewall Management Center. The group, which has evolved beyond traditional encryption-based extortion, used the flaw's insecure deserialization of user-supplied Java byte streams to execute arbitrary code as root. No authentication required. No user interaction needed. Maximum severity across every metric.
Interlock had 36 days of undetected access before Cisco publicly disclosed the vulnerability in early March. Amazon Threat Intelligence caught the activity through their MadPot honeypot network, but only because an operational security blunder exposed Interlock's infrastructure: a misconfigured server revealed their entire attack toolkit, including custom remote access trojans, memory-resident web shells, and PowerShell reconnaissance scripts.
The vulnerability carries a "Changed" scope rating, meaning that compromising the Firewall Management Center doesn't just give attackers access to one box. It gives them control over every Firewall Threat Defense device the FMC manages. One exploit, and the attacker can rewrite firewall rules, disable inspection, and push malicious configurations across the entire network.
CISA added CVE-2026-20131 to its Known Exploited Vulnerabilities catalog on March 19, giving agencies until March 22 to patch. A three-day window for a vulnerability that had already been exploited for nearly two months.
The Pattern Nobody Can Ignore
This is not an isolated incident. It is the acceleration of a trend that has been building for years.
The Rapid7 2026 Global Threat Landscape Report found that exploited high and critical-severity vulnerabilities surged 105% year-over-year, from 71 in 2024 to 146 in 2025. Network edge devices were the most frequently targeted category. Nearly 3 billion malicious sessions targeted internet-facing VPNs, routers, and remote access services over just 162 days in the second half of 2025.
The exploitation timelines are collapsing too. According to VulnCheck's State of Exploitation 2026 report, 28.96% of KEVs in 2025 were exploited on or before the day their CVE was published, up from 23.6% the previous year. Nearly a third of known exploited vulnerabilities are being weaponized before defenders even learn they exist.
Nation-state actors have made edge devices their preferred entry point. Salt Typhoon compromised 600 organizations across 80 countries by exploiting router and firewall flaws, including at least 200 U.S. companies. This is the same playbook I covered when Iranian hackers were found pre-positioned inside U.S. banking infrastructure: compromise the network device, then wait. Volt Typhoon uses compromised internet-facing devices for long-term persistence using living-off-the-land techniques. As Bell noted, "Nation-state actors have been exploiting edge devices from Ivanti, Fortinet, and Barracuda faster than agencies can deploy patches. The directive is playing catch-up on years of deferred maintenance."
The Fortinet, Ivanti, and Palo Alto breaches from 2024 and 2025 told the same story. I wrote about this pattern when 600 FortiGate firewalls fell to default credentials and again when the Fortinet SSO breach demonstrated that perimeter security alone is dead. The security appliance designed to be your perimeter defense becomes the breach vector. The Cisco FMC vulnerability follows this exact pattern: the management plane that controls your security infrastructure becomes the single point of failure.
The Uncomfortable Questions
BOD 26-02 is the right instinct, but the implementation challenges are staggering.
The inventory problem is the hardest step. The three-month deadline to catalog all unsupported edge devices assumes agencies can find devices they may not know exist. Most federal agencies lack complete asset inventories, particularly for equipment at field offices, embassies, and remote sites. You cannot replace what you cannot find, and discovery is far harder than anyone at CISA headquarters seems willing to acknowledge.
The OT exclusion creates a false boundary. Operational Technology devices are explicitly excluded from BOD 26-02's scope. But OT/IT convergence means many operational systems communicate through the same edge devices being replaced. Swapping out the IT-side firewall while the OT environment continues running unsupported equipment does not eliminate the risk. It just moves the trust boundary.
Procurement math does not work. If hundreds of federal agencies simultaneously begin purchasing replacement firewalls, routers, and switches from a small set of approved vendors, delivery timelines will stretch and prices will rise. The directive could create a procurement surge that makes its own deadlines unachievable. Sunil Gottumukkala, CEO of Averlon, was blunt: "Getting rid of decades-old edge devices is necessary, but replacement alone doesn't automatically reduce risk."
And the Cisco FMC exploit proves his point. Interlock was not targeting end-of-life equipment. They were exploiting a zero-day in a current, supported, actively maintained product. Replacing old devices with new ones does not solve the fundamental problem: the management plane of your security infrastructure is internet-accessible and running complex software with a massive attack surface.
What This Means for Enterprise Security
The lesson from BOD 26-02 and CVE-2026-20131 together is that edge device security requires a fundamentally different approach.
Reduce management plane exposure. If your firewall management console is reachable from the internet, you have already made the most critical architectural mistake. The Cisco FMC vulnerability required nothing more than crafted HTTP requests to a web interface. Restrict management interfaces to dedicated out-of-band networks with strict access controls.
Treat security appliances as high-value targets, not trusted infrastructure. Firewalls, VPN concentrators, and load balancers should be monitored with the same intensity as domain controllers. Audit logs for unauthorized configuration changes. Monitor for unexpected policy modifications. Assume that a compromised management plane means full network compromise.
Build asset inventories before you need them. The agencies scrambling to catalog their edge devices under BOD 26-02's three-month deadline are learning a painful lesson that private sector organizations should internalize now. Timothy Amerson at GuidePoint Security argues that agencies must "stop treating refresh like a 'big bang'" and adopt incremental modernization. That advice applies to every enterprise.
Plan for zero-day exposure windows. With nearly 29% of exploited vulnerabilities weaponized on or before disclosure, the traditional patch-when-disclosed model is already obsolete. Defense-in-depth around edge devices means assuming they will be compromised and building detection, segmentation, and response capabilities that limit the blast radius when they are.
The edge device reckoning is here. CISA is telling agencies to replace unsupported equipment, but the Cisco FMC exploit shows that new equipment alone is not the answer. The real question is whether organizations will treat their network perimeter as the attack surface it has become, or continue trusting devices that attackers have already learned to turn against them.
