Source guide

CISA Election Systems Security Report

A CISA report draws on requested software examinations, network testing, and incident-response work from roughly 2019–2025 to assess recurring security weaknesses in selected U.S. election systems and recommend mitigations.

Open full source PDF ↗ 6 pages Embedded source text
01

Scope and notification practice

CISA says the covered technical activities were performed at the request of system owners and operators, not as a census of every U.S. election system. Whenever it found a vulnerability in examined software or an election-related network, it notified the responsible owner or operator and encouraged mitigation.

“all carried out upon the request of system owners and operators”
Executive summary
Source: page 1 ↗
“CISA notified the owner or operator of the vulnerable product or network and encouraged them to mitigate the vulnerability.”
Executive summary
Source: page 1 ↗
02

Software vulnerabilities and delayed patching

CISA found a range of ordinary but consequential software flaws, and says vendors fixed many before release, while noting it did not independently verify that deployed production builds contained every fix. The report says fragmented certification and lockdown rules can leave known vulnerabilities in production for months or years.

“Many vulnerabilities were remediated quickly by vendors before release. However, CISA did not independently validate whether production builds deployed in SLTT environments incorporated all fixes.”
Direct software examination
Source: page 3 ↗
“known, documented vulnerabilities persist for months or years on production election systems”
Certification and patching analysis
Source: page 3 ↗
03

Weaknesses in state and local operating networks

Across penetration tests and red-team work, CISA observed recurring flat networks, weak identity controls, outdated systems, legacy remote-access paths, and insufficient monitoring. In multiple cases its assessors obtained full network control quickly, illustrating the risk created when real deployments do not match vendor assumptions about segmentation and isolation.

“In multiple cases, CISA assessors gained full network control within hours or days”
SLTT network assessments
Source: page 4 ↗
“These misalignments between theoretical and actual deployment models create exploitable pathways for adversaries”
Segmentation analysis
Source: page 5 ↗
04

Voting-device examples and examination limits

The report cites an external research demonstration that ImageCast X ballot-marking devices could encode altered choices in voter-unverifiable barcodes; this is presented as a research finding, not a CISA-observed election incident. It also says CISA reviewed an ODNI-commissioned report on devices from Puerto Rico's 2024 election but could not examine those devices itself.

“A researcher showed that hackers could change the votes encoded in the barcode, without even having physical access to the machines.”
Third-party research cited by CISA
Source: page 4 ↗
“While CISA did review the report, the agency did not have access to those devices and was unable to perform an examination.”
CISA examination limitation
Source: page 4 ↗
05

Recommended mitigations

CISA recommends human-readable paper ballots and manual post-election audits, alongside harmonized patch and certification rules. It also recommends CVE assignment, customer notice of source-code leaks, incident reporting, software bills of materials, and consistent incident documentation.

“Use human-readable paper ballots.”
Mitigation recommendation
Source: page 5 ↗
“Conduct post-election manual audits of paper ballots to confirm that voting systems function as intended”
Mitigation recommendation
Source: page 6 ↗
“Include a software bill of materials (SBOM) with all products.”
Vendor recommendation
Source: page 6 ↗