Skip to main content
CybersecurityInfrastructure

FCC Extends Security Update Deadline for Banned Routers

Router on a rack with cables connected, in a neutral-colored room with ordinary lighting.

"These include all software and firmware updates to ensure the continued functionality of the devices, such as those that patch vulnerabilities and facilitate compatibility with different operating systems," the FCC's Office of Engineering and Technology wrote in a May 8 public notice.

The FCC's March 2026 router ban

In March 2026 the Federal Communications Commission banned the import and sale of all "consumer‑grade" internet routers produced in a foreign country, concluding those devices posed "an unacceptable risk" to the national security of the United States. The action placed the affected devices on the FCC's covered list, with limited exceptions for routers that have received conditional approvals from the Department of Defense or the Department of Homeland Security.

Extension of security‑update window: OET says at least January 1, 2029

When the Commission first imposed the ban, it notified manufacturers that they could continue to ship security updates to US‑based customers only until March 2027. In a new public notice dated May 8, the FCC's Office of Engineering and Technology announced that it is extending that deadline until "at least" January 1, 2029. The OET notice explicitly ties the extension to updates that "mitigate harm to US consumers."

What updates are allowed — and what is not

The OET notice narrows the permitted activity to software and firmware changes that preserve device functionality and safety. As the notice states, allowed changes include patches for vulnerabilities and updates that facilitate compatibility with different operating systems. Suppliers of banned devices are not permitted to add new features under this extension; the mechanism exists solely to address security and operability concerns for existing devices in the United States.

Why the Commission tied this to drones as well

The May 8 extension applies not only to foreign‑made consumer routers but also to foreign‑made drone systems and drone critical components that the FCC banned for sale in December 2025. The FCC is thus treating two classes of previously banned foreign products — consumer routers and certain drone systems/components — consistently with regard to the limited, time‑bound ability of suppliers to deliver security and firmware fixes to US customers.

Network risk and the demonstrated threat

The public notice underscores an operational rationale: under‑managed network infrastructure, particularly unpatched and end‑of‑life routers, can provide a foothold for attackers seeking persistent, low‑visibility access into corporate environments. The document cites real‑world campaigns — the China‑linked Volt Typhoon and Salt Typhoon campaigns — as demonstrations of how adversaries have exploited such footholds in recent years.

How technologists, procurement leaders, and adversaries will respond

  • Technologists and security teams: With an extended window for security patches until at least January 1, 2029, operational teams will have a clearer short‑to‑medium timeframe to prioritize vulnerability patching and compatibility updates rather than emergency replacements. They must, however, limit remediation to the allowed software and firmware fixes and avoid relying on feature additions delivered under the extension.
  • Procurement leaders and affected enterprises: Organizations responsible for purchasing and lifecycle management will need to reconcile the FCC's ban, the exceptions granted by DoD and DHS, and the two‑year extension in planning refresh cycles. The extension buys time to replace banned devices securely, but it does not restore the ability to acquire or import new units of the covered devices for the US market.
  • Adversaries and threat actors: The FCC frames one rationale for the policy in operational risk: unpatched, end‑of‑life routers provide avenues for persistent access. The public notice points to the Volt Typhoon and Salt Typhoon campaigns as practical examples of that risk, implying continued attention from both defenders and attackers to router hardening and exploitability.

The FCC's decision balances an immediate security posture — preventing the sale and import of devices the Commission deems a national security risk — with pragmatic recognition that already‑deployed devices require maintenance. By permitting only vulnerability and compatibility fixes, the OET seeks to limit the extension to mitigations that reduce harm without reopening the market for new or enhanced functionality. Whether this approach sufficiently reduces operational risk while maintaining the ban's intended effect will be visible as the January 2029 date approaches and as agencies such as the Department of Defense and Department of Homeland Security continue to exercise their conditional approval authorities.

Original story