The Cybersecurity and Infrastructure Security Agency issued an emergency directive Tuesday requiring federal agencies to patch critical vulnerabilities within 72 hours, marking the third such directive this year as cyber threats against U.S. infrastructure intensify.
The directive addresses vulnerabilities in widely deployed network equipment that could allow attackers to gain unauthorized access to government systems. CISA Director Jen Easterly said the flaws pose "unacceptable risk" to federal networks.
"We are seeing active exploitation in the wild," Easterly said in a statement. "Federal agencies must take immediate action to protect their networks and the American people."
Affected Systems
The vulnerabilities affect enterprise networking equipment from multiple vendors, including firewall appliances and VPN concentrators deployed across federal civilian agencies. CISA declined to specify which vendor products are affected, citing operational security concerns.
Security researchers identified the vulnerabilities three weeks ago. Proof-of-concept exploit code appeared online last week, accelerating the threat timeline.
Industry Impact
Private sector organizations using the same equipment should apply patches immediately, according to cybersecurity experts. Financial services, healthcare, and critical infrastructure operators face the highest risk.
Major cloud providers including Amazon Web Services and Microsoft Azure issued customer advisories Monday recommending immediate updates to affected systems.
Response Requirements
Federal agencies must complete patching by Friday and report compliance status to CISA. Agencies unable to patch within the deadline must disconnect affected systems from their networks.
The emergency directive follows a series of high-profile cyberattacks targeting U.S. government networks and critical infrastructure in recent months. CISA has issued 12 binding operational directives this year, compared to eight in all of 2024.
Agencies must also implement enhanced monitoring for indicators of compromise and report any suspected breaches to CISA within four hours of detection.