The Hidden Threat: ED 26-01 Shows Why End-of-Life Systems are a Federal Cybersecurity Liability

In cybersecurity, the danger is not always what ranks highest on a scoring chart. It’s what attackers can reliably exploit. In federal civilian agencies, this often means legacy software systems that are unpatched, no longer supported, and invisible, leaving hidden gaps and potential threats.

On Wednesday, October 15th, CISA released Emergency Directive (ED) 26-01, which directs all Federal Civilian Executive Branch (FCEB) agencies to inventory F5 BIG-IP products, evaluate if the networked management interfaces are accessible from the public internet, and apply updates from F5. A nation-state-affiliated cyber threat actor has compromised F5’s systems and exfiltrated files, which included a portion of its BIG-IP source code and vulnerability information.

This cyber threat actor presents an imminent threat to federal networks using F5 devices and software. In the ED, CISA identifies any F5 hardware device that has reached End-of-Support as particularly vulnerable. This vulnerability extends far beyond the F5 compromise.

End-of-Life (EOL) and End-of-Support (EOS) software represent one of the most persistent and underappreciated threats to federal cybersecurity. These systems are often embedded deep inside critical infrastructure, controlling storage arrays, powering industrial control systems (ICS), or running core business applications. Despite their operational value, they frequently sit unmanaged, unmonitored, and unpatched.

CVSS Doesn’t Protect You—Visibility and Context Do

Federal cybersecurity guidance often relies on the Common Vulnerability Scoring System (CVSS) ratings to prioritize responses and remediation. But attackers are not bound by CVSS logic—they target what is accessible, exposed, and exploitable, regardless of score.

That distinction is critical.  A CVSS 10.0 vulnerability in a segmented and unexposed system may pose less of a real-world threat than a CVSS 6.5 vulnerability in an unsupported system directly connected to public-facing services. Traditional risk reduction strategies that focus solely on CVSS ratings or patch counts leave agencies blind to what actually matters: context.  Supply-chain attacks, as outlined in ED-26-01 and ED-21-01, bypass the normal CVE process entirely.

The Real Risk: Unsupported, Unseen, and Still Online

In federated civilian agencies, IT and operational technology (OT) environments often evolve in isolation. Systems accumulate technical debt over decades. With hundreds or thousands of independently managed endpoints, applications, and embedded devices, many CIOs operate without a comprehensive view of their true attack surface.

This is where the threat becomes most acute:

• EOL/EOS software persists in places security teams don’t look: storage controllers, ICS environments, shadow IT deployments, badge systems, printers, and even medical devices in federal health agencies.
• These components are often unmanaged or invisible to traditional asset inventories, configuration management databases (CMDBs), or vulnerability scanners.
• Agencies cannot secure what they cannot see, and they cannot plan risk reduction strategies around assets that aren’t accounted for.

In recent months, multiple advisories have highlighted the exploitation of unsupported Microsoft SharePoint servers, legacy network devices, and outdated embedded systems in federal infrastructure. Now comes this CISA ED for F5 hardware and software. Attackers are not waiting for perfect exploits—they are exploiting what’s available, and EOL software is often the lowest-hanging fruit.

The Consequence of Inaction: Strategic Blindness

When agency leaders lack access to a single source of truth about the systems on their networks, they are making strategic cybersecurity decisions without having the full picture.

This includes:

• Continuing to fund legacy applications with no future support path
• Prioritizing remediation efforts based on incomplete inventories
• Underestimating exposure from third-party or embedded software
• Failing audits or compliance assessments due to untracked risk

Ultimately, it means agencies are taking on what they believe to be acceptable risk, which is a gross underestimation of their true security posture.

A Better Approach: Contextual Risk, Total Visibility

Armis Centrix™ is purpose-built to address these challenges in federal environments. Our platform enables agencies to:

1. See Everything—No Exceptions

Armis Centrix™ provides an agentless, multi-detection engine that discovers all managed and unmanaged assets without disruption, including IT and OT, as well as cloud and on-premises environments. This includes:

• Devices traditional tools miss (e.g., ICS controllers, medical equipment, embedded firmware)
• Legacy applications running in shadow environments
• EOL/EOS software components embedded in operational systems

Agencies get a real-time, continuously updated inventory of every connected asset, including its support status, risk profile, and exposure path.

2. Contextualize Risk Beyond CVSS

The Armis platform combines internal asset context (location, exposure, usage) with external threat intelligence and active exploit data. This enables agencies to:

• Prioritize what is actually exploitable, not just what scores high
• Identify EOL/EOS systems that are internet-facing or have active vulnerabilities
• Detect behavioral anomalies on legacy systems even without vendor patching
• Surface risk in federated environments where systems and software operate in silos

Armis Centrix™ leverages the world’s largest cybersecurity AI/ML engine, analyzing billions of global data points to automate risk prioritization, threat detection, and compliance validation. Agencies can stop relying on generic risk scores and instead act on real-world exposure.

3. Accelerate Sensible Remediation

Instead of trying to “fix everything,” Armis helps agencies sensibly attack the risks with the biggest impact:

• Identify unsupported systems with known vulnerabilities and public exposure
• Isolate high-risk EOL/EOS systems with compensating controls
• Inform modernization plans with accurate lifecycle data
• Empower security teams to work with operations and procurement toward phased replacement

This is how real progress is made: not by theoretical prioritization, but by actionable intelligence.

Armis Centrix™: The Platform Behind the Mission

Armis Centrix™ is the AI-powered cyber exposure management platform that enables:

• Unified asset intelligence across IT, OT, IoT, cloud, and medical environments
• Real-time visibility and lifecycle awareness of all assets, including EOL/EOS status
• Risk-based prioritization aligned with threat activity and asset exposure
• Integration with existing federal tools and frameworks, including compliance mapping, audit readiness, and Continuous Diagnostics and Mitigation (CDM)

For federal agencies operating across complex, federated environments, Armis delivers the clarity and context needed to act decisively, without increasing analyst burden or requiring widespread sensor deployment.

Final Thoughts: Start With What You Know, Then Go Further.

EOL and EOS software are not fringe concerns. These risk factors present a daily operational risk that sits quietly beneath the surface of most federal networks. And with attackers actively exploiting these legacy components, inaction is a liability.

The first step is visibility. You can’t mitigate what you can’t see.
The second step is context. Not all risks are equal. Prioritization must reflect reality, not abstract scores.
The third step is action. Attack the most exposed and unsupported systems first and establish a pathway for the rest.

Armis is here to help. ED 26-01 is just the latest manifestation of the danger posed by EOL and EOS technology in federal networks. The threats are constant, but changing from reactive to proactive security tactics is possible. Let us show you what’s really on your network, and more importantly, how to secure it.