How to Find and Remove End-of-Life Edge Devices Before Attackers Exploit Them
A Practical Guide to Complying with CISA BOD 26-02 (and Why Private Sector Should Too)
The Wake-Up Call You Can't Ignore
On February 5, 2026, CISA dropped a bombshell: Binding Operational Directive 26-02 mandates that all federal agencies identify and remove end-of-life (EOL) edge devices from their networks within 18 months. No extensions. No exceptions.
If you're in the private sector, you might think this doesn't apply to you. You'd be wrong—at least strategically.
Here's the reality: the same nation-state hackers that prompted this directive don't care whether you're a government agency or a Fortune 500 company. Salt Typhoon, the China-linked APT group behind the directive's urgency, has already breached over 600 organizations across 80 countries. Their weapon of choice? Exploiting vulnerabilities in firewalls, routers, VPN gateways, and other edge devices that organizations forgot to update—or couldn't update because the vendor stopped supporting them.
This guide is your playbook for:
- Understanding what BOD 26-02 actually requires
- Finding every EOL edge device hiding in your network
- Auditing their configurations for critical vulnerabilities
- Building a replacement plan that doesn't break the bank
Understanding the Threat: Why Edge Devices Are Under Attack
Your firewall might be the easiest way into your network.
Edge devices sit at the boundary between your internal network and the hostile internet. They're designed to keep attackers out. But when they're running outdated, unpatched, or end-of-life software, they become the very doors attackers walk through.
Salt Typhoon: The Campaign That Changed Everything
Salt Typhoon (also tracked as GhostEmperor, Operator Panda, RedMike, UNC5807) is a China-linked APT group that has been systematically exploiting edge devices since at least 2019:
| Metric | Value |
|---|---|
| Organizations Breached | 600+ confirmed |
| Countries Affected | 80+ |
| U.S. Organizations | 200+ |
| Primary Targets | Telecommunications, government, transportation, military |
Their Attack Playbook
- Exploit publicly-known vulnerabilities in edge devices (often CVEs months or years old)
- Modify device configurations for persistent backdoor access
- Add GRE tunnels for stealthy data exfiltration
- Capture TACACS+ traffic to harvest admin credentials
- Pivot laterally through trusted network connections
The key insight: they're not using zero-days. They're exploiting known vulnerabilities in devices that haven't been patched—often because they can't be patched because the vendor no longer supports them.
According to CISA, edge device vulnerability exploitation increased 8x from 2024 to 2025. Mandiant's M-Trends 2025 report found that 21% of ransomware attacks now use vulnerability exploitation as their initial access vector.
CISA BOD 26-02: What It Requires
The Timeline
| Deadline | Requirement |
|---|---|
| Immediate | Update all edge devices running EOS software to vendor-supported versions |
| 3 months | Complete inventory of all devices on CISA's EOS Edge Device List |
| 12 months | Decommission devices with EOS dates before this deadline |
| 18 months | Remove ALL identified EOS edge devices from networks |
| 24 months | Establish continuous discovery process for lifecycle management |
Devices Covered
- Firewalls (next-gen and traditional)
- Routers and switches (especially internet-facing)
- VPN gateways and concentrators
- Load balancers
- Wireless access points
- Network security appliances (IDS/IPS, web proxies)
- IoT edge devices
- Software-defined network components
Exclusions: Operational Technology (OT) devices and FedRAMP-authorized cloud services.
"The imminent threat of exploitation to agency information systems running EOS edge devices is substantial and constant, resulting in a significant threat to federal property." — CISA BOD 26-02
Recent Edge Device CVEs: The Hit List
Before we dive into tools, here's what we're defending against—the vulnerabilities that nation-state actors and ransomware gangs are actively exploiting:
Actively Exploited Edge Device CVEs (2024-2025)
| CVE | Vendor | Product | CVSS | Description | Status |
|---|---|---|---|---|---|
| CVE-2024-3400 | Palo Alto | PAN-OS | 10.0 | Command Injection via GlobalProtect | Salt Typhoon |
| CVE-2023-20198 | Cisco | IOS XE | 10.0 | Web UI Privilege Escalation | Multiple APTs |
| CVE-2024-23113 | Fortinet | FortiOS | 9.8 | RCE via Format String | Ransomware |
| CVE-2025-20393 | Cisco | AsyncOS | 10.0 | Zero-Day RCE | China APT |
| CVE-2025-22457 | Ivanti | Connect Secure | 9.0 | Buffer Overflow RCE | UNC5221 |
| CVE-2025-0282 | Ivanti | Connect Secure | 9.0 | Stack Buffer Overflow | Multiple |
| CVE-2024-21762 | Fortinet | FortiOS | 9.6 | Out-of-bounds Write | Ransomware |
| CVE-2024-21887 | Ivanti | Connect Secure | 9.1 | Command Injection | Salt Typhoon |
| CVE-2023-46805 | Ivanti | Connect Secure | 8.2 | Authentication Bypass | Salt Typhoon |
| CVE-2018-0171 | Cisco | IOS | 9.8 | Smart Install RCE | Salt Typhoon |
Notice that last one: CVE-2018-0171 is from 2018—eight years ago—and Salt Typhoon is still successfully exploiting it.
Why EOL Devices Are Especially Dangerous
When a device reaches end-of-life:
- No patches are released for newly discovered vulnerabilities
- Existing exploits remain viable indefinitely
- Zero-days cannot be fixed, making the device permanently compromised
- Attackers specifically target EOL devices because the vulnerability window is permanent
The Tool Stack: Discovery and Auditing
Quick Reference: Tool Comparison
| Tool | Type | Best For | EOL Tracking | Config Audit | Free Tier |
|---|---|---|---|---|---|
| runZero | Discovery | Continuous asset inventory | Partial | No | 256 assets |
| Nmap | Discovery | Deep network scans | No | Limited | Full |
| Titania Nipper | Audit | Compliance-grade audits | No | Excellent | No |
| nipper-ng | Audit | Free config auditing | No | Good | Full |
| ManageEngine NCM | Lifecycle | EOL date tracking | Excellent | Partial | Limited |
Step 1: Network Discovery and Inventory
You can't secure what you don't know exists.
Option A: runZero (Recommended for Continuous Discovery)
Created by HD Moore (creator of Metasploit), runZero excels at finding devices other scanners miss using unauthenticated scanning with deep fingerprinting.
Installing the runZero Explorer:
# Download the Explorer for Linux
curl -o runzero-explorer https://download.runzero.com/stable/linux-amd64/runzero-explorer
chmod +x runzero-explorer
# Run a scan
./runzero-explorer \
--token YOUR_ORGANIZATION_TOKEN \
--name "Edge Device Discovery" \
--networks 10.0.0.0/8,192.168.0.0/16 \
--rate 1000
Query for Edge Devices:
type:firewall # Find all firewalls
type:router # Find all routers
hw.vendor:Cisco # Find Cisco devices
has:vulnerabilities AND type:firewall # Firewalls with known vulns
Option B: Nmap (For Deep Dives and Scripting)
Nmap is the gold standard for network reconnaissance. If you're new to network scanning, check out our Introduction to Networking Concepts for Hackers to understand the fundamentals before diving in.
# Discover hosts with OS detection
sudo nmap -sS -O -T4 10.0.0.0/24 -oX edge-discovery.xml
# Service detection on common edge device ports
sudo nmap -sV -sC -p22,23,80,443,161,8080,8443 10.0.0.0/24
# Detect Cisco Smart Install (CVE-2018-0171 vulnerable)
nmap -p4786 --script cisco-smart-install 10.0.0.0/24
# SNMP enumeration for device info
nmap -sU -p161 --script snmp-sysdescr 10.0.0.0/24
# Full port scan of known edge devices
sudo nmap -sS -sV -p- --min-rate 10000 192.168.1.1 -oX router-full.xml
Building Your Asset Inventory
| Device | IP | Vendor | Model | Firmware | EOL Date | Risk | Notes |
|---|---|---|---|---|---|---|---|
| Core Firewall | 10.0.0.1 | Palo Alto | PA-3220 | 10.2.3 | 2028-12 | Low | Supported |
| Branch Router | 192.168.1.1 | Cisco | ISR 2911 | 15.2(4)M | 2023-09 | Critical | EOL - replace |
| VPN Gateway | 10.0.0.5 | Fortinet | FG-60E | 6.4.2 | 2027-06 | Medium | Needs update |
Step 2: Configuration Security Auditing
Finding edge devices is only half the battle. You also need to know if they're configured securely.
Option A: Titania Nipper (Enterprise-Grade)
The gold standard for network device configuration auditing:
- Works completely air-gapped (parses config files, no network access required)
- Supports 100+ device types: Cisco, Juniper, Fortinet, Palo Alto, Check Point, SonicWall
- Maps findings to compliance frameworks: DISA STIG, RMF, PCI-DSS, CIS Benchmarks
- Generates detailed remediation steps
Sample Finding:
FINDING: CVE-2018-0171 - Cisco Smart Install Enabled
SEVERITY: Critical (CVSS 9.8)
DEVICE: cisco-router-01.cfg
REMEDIATION:
Disable Smart Install by adding:
no vstack
COMPLIANCE IMPACT:
- DISA STIG V-96265 (CAT I)
- CIS Cisco IOS 15 Benchmark 1.1.1
Option B: nipper-ng (Open Source Alternative)
The open-source fork of the original Nipper tool.
Installing on Kali Linux:
sudo apt update && sudo apt install nipper-ng
Running Audits:
# Audit Cisco IOS router
nipper-ng --ios-router --input=router-config.txt --output=router-audit.html
# Audit Cisco ASA firewall
nipper-ng --asa --input=asa-config.txt --output=asa-audit.html
# Audit Juniper ScreenOS
nipper-ng --screenos --input=screenos-config.txt --output=screenos-audit.html
Supported Devices:
| Flag | Device Type |
|---|---|
--ios-router |
Cisco IOS Router |
--ios-switch |
Cisco IOS Switch |
--asa |
Cisco ASA Firewall |
--pix |
Cisco PIX Firewall |
--screenos |
Juniper ScreenOS |
--sonicos |
SonicWall SonicOS |
Configuration Export Cheat Sheet
Cisco IOS/IOS XE:
terminal length 0
show running-config
Cisco ASA:
terminal pager 0
more system:running-config
Fortinet FortiGate:
config system console
set output standard
end
show full-configuration
Palo Alto PAN-OS:
set cli config-output-format set
show config running
Step 3: EOL/EOS Lifecycle Tracking
ManageEngine Network Configuration Manager
ManageEngine NCM includes dedicated EOL/EOS tracking that syncs with vendor databases:
- Automatic sync with Cisco, Juniper, Fortinet, Palo Alto EOL databases
- Alerts when devices approach end-of-support
- Offline mode for air-gapped networks
Sample Report:
| Device | Vendor | Model | Version | EOL Date | Days Until EOL | Status |
|---|---|---|---|---|---|---|
| fw-01 | Cisco | ASA 5515 | 9.8(4) | 2024-09-30 | -496 | EXPIRED |
| sw-core | Cisco | 3850 | 16.6.2 | 2026-10-01 | 236 | Warning |
| vpn-gw | Fortinet | FG-60E | 6.4.12 | 2027-06-01 | 479 | OK |
Manual Tracking with Vendor Resources
| Vendor | EOL Information URL |
|---|---|
| Cisco | cisco.com/c/en/us/products/eos-eol-policy.html |
| Fortinet | support.fortinet.com/Information/ProductLifeCycle.aspx |
| Palo Alto | paloaltonetworks.com/services/support/end-of-life-announcements |
| Juniper | support.juniper.net/support/eol/ |
| Multi-Vendor | layer23-switch.com/eol-eosl-tool/ |
Step 4: Replacement Planning and Prioritization
Prioritization Framework
Priority 1: Critical (Replace Within 30 Days)
- Internet-facing devices
- Devices with known actively-exploited CVEs
- VPN gateways handling remote access
- Devices in flat networks with no segmentation
Priority 2: High (Replace Within 90 Days)
- Devices handling sensitive data (PCI, HIPAA)
- Core infrastructure (backbone routers, primary firewalls)
Priority 3: Medium (Replace Within 6 Months)
- Internal-only devices with segmentation
- Branch office equipment with compensating controls
Priority 4: Low (Replace Within 12-18 Months)
- Lab/test equipment
- Redundant/backup devices
Building the Business Case
Quantify the Risk:
Salt Typhoon Impact: 600+ organizations breached
Average breach cost (IBM 2025): $4.88 million
Cost to replace 15 EOL devices: ~$175,000 (CapEx)
Cost of breach investigation & remediation: $500K - $5M+
ROI on proactive replacement: 3x - 28x
Compliance Angle:
- NIST 800-53 SI-2: Requires patching (impossible for EOL)
- PCI-DSS 6.2: Requires vendor-supported systems
- HIPAA: Must document and remediate risks
- DFARS 252.204-7012: Adequate security for CUI
Compensating Controls: When You Can't Replace Yet
⚠️ Warning: Compensating controls are temporary risk mitigations, not permanent solutions. They should be used as a bridge during the replacement process, not as an excuse to delay EOL device retirement.
Network Segmentation
Cisco Example - Isolating Legacy Devices:
vlan 999
name LEGACY_EOL_ISOLATED
!
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 999
!
ip access-list extended LEGACY_ISOLATION
permit tcp any host 10.0.0.5 eq 22
deny ip any any log
!
interface Vlan999
ip address 10.99.99.1 255.255.255.0
ip access-group LEGACY_ISOLATION in
Virtual Patching via IPS
Snort Rule for CVE-2018-0171:
alert tcp any any -> $HOME_NET 4786 (msg:"EXPLOIT Cisco Smart Install";
flow:to_server,established;
content:"|00 00 00 01|"; depth:4;
sid:1000001; rev:1;)
Enhanced Monitoring
Enhanced logging is critical for detecting when EOL devices are being actively exploited. For a comprehensive guide to analyzing these logs when an incident occurs, see our Windows Incident Response Guide.
Cisco Syslog Configuration:
logging buffered 64000 informational
logging host 10.0.0.100 transport udp port 514
logging trap informational
login on-success log
login on-failure log
Access Restrictions and Hardening
! Only allow management from specific IPs
access-list 10 permit 10.0.0.50
access-list 10 deny any log
line vty 0 4
access-class 10 in
transport input ssh
exec-timeout 5 0
! Disable dangerous services
no cdp run
no ip http server
no vstack
no service finger
Why Private Sector Should Adopt BOD 26-02 Standards
1. You Face the Same Threats
Salt Typhoon didn't only target government agencies. Of their 600+ victims, the majority were private sector—telecoms, financial services, transportation. The threat actors don't check whether you have a .gov domain.
2. Federal Requirements Become Industry Standards
- NIST Cybersecurity Framework (2014) → Now required by many state laws
- CISA Zero Trust Model → Adopted in healthcare, finance, critical infrastructure
- FedRAMP → Baseline for enterprise SaaS vendors
BOD 26-02's requirements will likely influence cyber insurance questionnaires, vendor security assessments, and regulatory updates. The private sector has seen the consequences of ignoring edge device security—organizations like Nike recently faced a 1.4TB data breach that exposed years of internal documents and intellectual property.
3. Due Diligence and Liability
When a breach occurs, lawyers ask: "What did you know, and when?"
If CISA has published explicit guidance that EOL edge devices are critical risk, and you chose to ignore it, you've created documentation showing:
- Awareness of the risk
- Decision not to remediate
- Potential negligence in civil litigation
Recommended Private Sector Timeline
| Timeline | Action |
|---|---|
| Immediate | Begin network-wide edge device inventory |
| 30 days | Identify all EOL devices and critical CVE exposure |
| 60 days | Implement compensating controls for high-risk EOL devices |
| 90 days | Establish EOL tracking process |
| 6 months | Remediate Priority 1 devices |
| 12 months | Remediate Priority 2 devices |
| 18 months | Achieve zero EOL edge devices on perimeter |
Conclusion: Your 90-Day Action Plan
Week 1-2: Discovery
- [ ] Deploy runZero or conduct Nmap scans of entire network
- [ ] Document all edge devices with vendor, model, firmware version
Week 3-4: Assessment
- [ ] Export configurations from all edge devices
- [ ] Run nipper-ng or Titania Nipper audits
- [ ] Check each device against vendor EOL databases
Week 5-6: Prioritization
- [ ] Create prioritized inventory (Critical/High/Medium/Low)
- [ ] Identify devices with known exploited CVEs (check CISA KEV)
- [ ] Begin building replacement business case
Week 7-8: Compensating Controls
- [ ] Implement network segmentation for EOL devices
- [ ] Enable enhanced logging and monitoring
- [ ] Deploy IPS signatures for known exploits
- [ ] Disable unused services on all edge devices
Week 9-12: Planning and Quick Wins
- [ ] Submit budget request for Priority 1 replacements
- [ ] Schedule replacement for critical CVE devices
- [ ] Establish monthly EOL tracking review
- [ ] Brief leadership on remediation progress
Resources
Official Sources
- CISA BOD 26-02 Full Text
- CISA Known Exploited Vulnerabilities Catalog
- FBI/CISA Joint Advisory on Salt Typhoon
Tools Referenced
- runZero - Cyber asset attack surface management
- Titania Nipper - Network configuration auditing
- ManageEngine NCM - Network configuration management
- nipper-ng - Open source configuration auditor
- Nmap - Network discovery and security scanning
Key Takeaways
- The threat is real and immediate. Salt Typhoon has breached 600+ organizations using edge device vulnerabilities.
- EOL devices cannot be fixed. When a vendor stops support, vulnerabilities become permanent.
- Visibility comes first. You can't secure what you don't know exists.
- Prioritize ruthlessly. Internet-facing devices with known exploited CVEs go first.
- Private sector should care. BOD 26-02 may not legally apply to you, but the threat it addresses certainly does.
The attackers are already scanning your network, looking for that forgotten router running seven-year-old firmware. The question is whether you'll find it first.
About the Author: This guide was written by security practitioners who've spent years helping organizations identify and remediate vulnerable edge infrastructure. For more practical security guides, check out our Introduction to Networking Concepts for Hackers and Building a Home Cybersecurity Lab.
