October 2, 2023

Researchers have discovered many devices running on government networks that expose remote management interfaces on the open Web.

Earlier this month, CISA released Binding Operational Directive (BOD) 23-02, with the goal of eliminating Internet-exposed management interfaces running on edge devices in FCEB networks. This comes after CISA Report on Volt Typhoon APT leveraging Fortiguard devices to attack US authorities.

Researchers scanned the Internet for devices exposing management interfaces in FCEB agencies. The scans revealed nearly 250 qualifying devices, as well as a number of other network vulnerabilities outside of the scope of BOD 23-02.


Devices qualifying under BOD 23-02 include Internet exposed routers, switches, firewalls, VPN concentrators, proxies, load balancers, out-of-band server management interfaces and other secure ports.

Researchers discovered various Cisco devices exposing Adaptive Security Device Manager interfaces, Cradlepoint router interfaces, and popular firewall products from Fortinet and SonicWall. They also found more than 15 instances of exposed remote access protocols running on FCEB-related hosts.

Organizations often don’t know their level of exposure or don’t understand the implications of exposure. The search even uncovered many federal network vulnerabilities beyond the scope of BOD 23-02, including exposed file transfer tools like GoAnywhere MFT and MoveIt, exposed Barracuda email security gateways, and various instances of defunct software.

CISA indicated that it will begin scanning for qualifying devices and informing the culpable agencies. Upon notification, offending agencies will have just 14 days to either disconnect these devices from the Web, or deploy capabilities, as part of a zero-trust architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself.

Leave a Reply

%d bloggers like this: