Hundreds of internet-connected devices found on federal systems remain vulnerable to critical cybersecurity threats, according to new research, despite a recent directive from the nation’s cyber defense agency requiring their removal from government networks. 

Researchers with the security firm Censys identified over 13,000 distinct hosts — from routers and firewalls with publicly exposed configurations to VPNs with remote access vulnerabilities — across more than 100 autonomous systems associated with over 50 federal civilian executive branch organizations and sub-organizations. 

The findings come after the Cybersecurity and Infrastructure Security Agency issued a Binding Operational Directive earlier this month requiring all federal civilian agencies to remove certain devices with public-facing management interfaces from internet networks. 

The research reflects an “alarming discovery” across government networks and serves as a reminder “of the importance of self-checks, like scanning and actively enumerating your own network devices,” according to Tomer Bar, vice president of security research for the cybersecurity company SafeBreach. 

“Exposed devices with remote management interfaces are one of the most common attacks used by both nation-state and cybercrime threat actors in order to achieve initial access to the target network,” Bar said in a statement sent to Nextgov/FCW. 

The researchers discovered numerous instances in which certain ways of accessing computers remotely were left unprotected on government-related devices, potentially exposing federal networks to major cyber threats. 

The report also found multiple instances of exposed managed file transfer tools like the popular MOVEit solution developed by Progress Software, which was recently exploited by a notorious ransomware gang. 

“This directive didn’t just come out of thin air,” said Bill Wright, head of governmental affairs for the security firm Elastic. “It has been a persistent issue and comes on the heels of a number of recent cyber incidents where attackers identified and leveraged zero-day vulnerabilities within widespread networking products.” 

Wright told Nextgov/FCW that threat actors are…