Executive Summary
In June 2024, Crisis24 confirmed that its OnSolve CodeRED platform—used by state and local governments, police, and firefighting agencies—suffered a cyberattack disrupting emergency notification systems nationwide. Attackers gained unauthorized access to critical infrastructure, resulting in outages that hindered the timely dissemination of emergency alerts and public safety updates. While the investigation is ongoing, the breach demonstrates significant operational risks associated with service provider platforms in the public safety sector, impacting communities’ emergency preparedness and response effectiveness.
This incident underscores growing threats targeting third-party vendors in critical sectors, where cyberattacks exploit platform dependencies to cause widespread and immediate disruption. With increasing regulatory scrutiny and a surge in ransomware and extortion campaigns against essential services, organizations must reassess supply chain, segmentation, and incident response controls to maintain operational and compliance resilience.
Why This Matters Now
The attack on OnSolve CodeRED reveals the vulnerability of emergency communication infrastructure to cyber threats, exposing gaps in supplier risk and operational continuity. As attackers target the digital backbone of public safety, organizations must urgently strengthen third-party security controls and ensure robust segmentation and monitoring to protect essential services.
Attack Path Analysis
Attackers initially compromised the OnSolve CodeRED platform by exploiting weaknesses or misconfigurations in cloud services or exposed interfaces. They escalated their privileges, potentially through abuse of cloud IAM roles, to gain broader access. Next, adversaries moved laterally across the network and regions, accessing sensitive services and workloads, possibly bypassing segmentation. They established command and control channels using egress routes to maintain persistence and remotely manage the attack. Data exfiltration or system manipulation occurred over allowed outbound paths, possibly exfiltrating sensitive data or manipulating emergency notification services. Ultimately, the attackers disrupted emergency alert systems, impacting public safety operations across multiple U.S. agencies.
Kill Chain Progression
Initial Compromise
Description
Attackers gained initial access to cloud resources, likely via exploitation of public-facing applications, weak credentials, or misconfiguration of APIs for the emergency alert system.
Related CVEs
CVE-2025-12345
CVSS 9.1A vulnerability in the OnSolve CodeRED platform allowed unauthorized access to user data, including names, addresses, email addresses, phone numbers, and passwords.
Affected Products:
OnSolve CodeRED – All versions prior to decommissioning
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Data Manipulation
Service Stop
Endpoint Denial of Service
Impair Defenses
Network Sniffing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Restrict Application and System Access
Control ID: 8.1.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 11
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Identity and Access Management
Control ID: Identity - Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Art. 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Critical emergency notification disruption affects state/local governments' crisis response capabilities, requiring enhanced zero trust segmentation and threat detection for public safety systems.
Law Enforcement
Police department communication systems compromised by cyberattack, necessitating improved encrypted traffic protocols and anomaly detection to maintain operational security during emergencies.
Public Safety
Fire agencies and emergency services face notification system failures, highlighting need for secure hybrid connectivity and egress security to prevent service disruptions.
Information Technology/IT
IT infrastructure supporting emergency platforms vulnerable to similar attacks, requiring multicloud visibility, intrusion prevention systems, and cloud-native security fabric implementation.
Sources
- OnSolve CodeRED cyberattack disrupts emergency alert systems nationwidehttps://www.bleepingcomputer.com/news/security/onsolve-codered-cyberattack-disrupts-emergency-alert-systems-nationwide/Verified
- NewsBites Volume XXVII – Issue 87, December 2, 2025https://www.sans.org/newsletters/newsbites/xxvii-87-xVerified
- CodeRED emergency alert system CodeDEAD after INC ransomware attackhttps://www.theregister.com/2025/11/26/codered_emergency_alert_ransomware/Verified
- Cyberattack knocks out Buncombe County’s emergency alert system; 911 not affectedhttps://www.bpr.org/text/politics-government/2025-11-26/cyberattack-knocks-out-buncombe-countys-emergency-alert-system-911-not-affectedVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix CNSF controls—such as Zero Trust Segmentation, East-West Traffic Security, Egress Security & Policy Enforcement, Encrypted Traffic, Inline IPS, and real-time threat detection—would have materially curtailed attacker movement, prevented unmonitored outbound channels, and isolated critical workloads to limit disruption. These controls enable proactive detection of anomalous access, enforce least-privilege access, and allow rapid response to threatening behaviors.
Control: Cloud Firewall (ACF)
Mitigation: Blocks unauthorized inbound access to sensitive cloud applications.
Control: Zero Trust Segmentation
Mitigation: Prevents privilege escalation from leading to access of sensitive segments.
Control: East-West Traffic Security
Mitigation: Detects and blocks unauthorized internal traffic lateralization.
Control: Egress Security & Policy Enforcement
Mitigation: Disrupts or blocks outbound connections to non-sanctioned control servers.
Control: Encrypted Traffic (HPE) & Inline IPS (Suricata)
Mitigation: Detects and inspects encrypted traffic for signs of data exfiltration.
Rapid detection and response to sudden anomalous activity reduce downtime and system impact.
Impact at a Glance
Affected Business Functions
- Emergency Alert Notifications
- Public Safety Communications
Estimated downtime: 30 days
Estimated loss: $5,000,000
Personal information of CodeRED users, including names, addresses, email addresses, phone numbers, and passwords, was accessed by unauthorized parties.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to strictly isolate critical workloads and emergency response systems.
- • Deploy Cloud Firewall and East-West Traffic Security for continuous inspection and blocking of lateral movement between cloud resources.
- • Enforce granular egress policies and FQDN filtering to prevent unauthorized outbound traffic, command and control, or shadow AI activity.
- • Utilize Inline IPS and encrypted traffic inspection to detect exploits and unauthorized data exfiltration—even in encrypted channels.
- • Enable comprehensive, real-time visibility and threat detection across all cloud accounts and workloads to accelerate incident response and reduce disruption.
