A CISA report draws on requested software examinations, network testing, and incident-response work from roughly 2019–2025 to assess recurring security weaknesses in selected U.S. election systems and recommend mitigations.
CISA says the covered technical activities were performed at the request of system owners and operators, not as a census of every U.S. election system. Whenever it found a vulnerability in examined software or an election-related network, it notified the responsible owner or operator and encouraged mitigation.
“all carried out upon the request of system owners and operators”
CISA found a range of ordinary but consequential software flaws, and says vendors fixed many before release, while noting it did not independently verify that deployed production builds contained every fix. The report says fragmented certification and lockdown rules can leave known vulnerabilities in production for months or years.
“Many vulnerabilities were remediated quickly by vendors before release. However, CISA did not independently validate whether production builds deployed in SLTT environments incorporated all fixes.”
Across penetration tests and red-team work, CISA observed recurring flat networks, weak identity controls, outdated systems, legacy remote-access paths, and insufficient monitoring. In multiple cases its assessors obtained full network control quickly, illustrating the risk created when real deployments do not match vendor assumptions about segmentation and isolation.
“In multiple cases, CISA assessors gained full network control within hours or days”
The report cites an external research demonstration that ImageCast X ballot-marking devices could encode altered choices in voter-unverifiable barcodes; this is presented as a research finding, not a CISA-observed election incident. It also says CISA reviewed an ODNI-commissioned report on devices from Puerto Rico's 2024 election but could not examine those devices itself.
“A researcher showed that hackers could change the votes encoded in the barcode, without even having physical access to the machines.”
CISA recommends human-readable paper ballots and manual post-election audits, alongside harmonized patch and certification rules. It also recommends CVE assignment, customer notice of source-code leaks, incident reporting, software bills of materials, and consistent incident documentation.