Nationwide CodeRED Outage: Inside the Cyberattack That Silenced U.S. Emergency Alerts
Visual overview of emergency alert disruption
What Happened in the OnSolve CodeRED Cyberattack?
Risk management firm Crisis24 has confirmed that its OnSolve CodeRED platform suffered a cyberattack that disrupted emergency notification services across multiple U.S. jurisdictions. CodeRED is widely used by state and local governments, police departments, and fire agencies to distribute:
- Severe weather warnings and tornado alerts
- Evacuation notices during wildfires, chemical spills, and floods
- Missing person alerts and public safety bulletins
- Community notifications about road closures and infrastructure failures
According to reporting from BleepingComputer , the incident began surfacing as agencies across the country reported an inability to send out CodeRED alerts. Some counties confirmed that both outbound phone calls and text alerts were impacted, forcing them to rely on backup systems including local radio, social media, and manual call trees.
Crisis24 and OnSolve have not, as of late November 2025, fully disclosed technical details of the intrusion, but they have framed it as a targeted cyberattack on the CodeRED infrastructure rather than a simple configuration error or outage.
Why This Outage Matters: When Seconds Can Save Lives
Emergency notification platforms sit at the intersection of cybersecurity and public safety. When they fail, the consequences are not limited to data loss or financial damage—they can directly affect whether people receive life‑saving information in time.
"In a crisis, timely, accurate information is as critical as any physical resource."
— Former U.S. Secretary of Homeland Security Janet Napolitano
Consider how many emergencies now depend on rapid, mass alerts:
- Hurricanes and flash floods that require immediate evacuation
- Wildfires advancing faster than traditional media can cover
- Hazardous materials incidents where air quality changes minute by minute
- Rapidly evolving law‑enforcement situations that demand shelter‑in‑place guidance
When a centralized alert platform like CodeRED is disrupted, every minute of downtime can mean thousands of residents are not hearing about those threats. The CodeRED cyberattack has therefore become a case study in how a single software dependency can function as a national risk multiplier.
How the CodeRED Cyberattack Likely Unfolded
While full forensic findings have not been made public, the CodeRED incident fits familiar patterns seen in other attacks on critical software services:
1. Targeting the Central Platform, Not Individual Cities
Rather than breaching each city or county separately, threat actors appear to have focused on the CodeRED platform itself. This approach gives attackers enormous leverage: compromise once, disrupt many. Similar strategies were seen in the SolarWinds Orion and Kaseya supply‑chain attacks, where a single vendor relationship became the intrusion vector for hundreds of downstream organizations.
2. Disruption Over Destruction (at Least So Far)
As of the latest public statements, there is no confirmed evidence that message content was altered or spoofed. The attackers appear to have caused loss of availability—preventing or severely limiting the ability of agencies to send out alerts. However, in the world of emergency management, simply silencing an alert channel can be just as damaging as manipulating it.
3. A Wake‑Up Call for Vendor Risk Management
The CodeRED attack highlights an uncomfortable reality: many public agencies have outsourced critical communications to private platforms without always having:
- Independent backup alert systems
- Offline or analog contingency plans
- Clear service‑level requirements for security, resilience, and transparency
Cybersecurity experts have long warned that emergency notification systems need to be treated as critical infrastructure. This incident is likely to accelerate that conversation at both federal and local levels.
Nationwide Impact: How Cities and Agencies Were Affected
While exact numbers are still emerging, CodeRED has historically been deployed in thousands of U.S. jurisdictions. Early reports during the incident suggested impact across diverse regions, from small rural counties to densely populated metro areas.
Common Problems Reported by Agencies
- Inability to send mass SMS, voice, or email alerts
- Delayed distribution of weather warnings and evacuation orders
- Confusion among residents accustomed to CodeRED messages
- Operational stress on 911 call centers as people phoned in for updates
Agencies that had invested in multi‑channel communication—including NOAA weather radios, outdoor sirens, and opt‑in text services separate from CodeRED—fared better. Those that relied on CodeRED as their primary alert tool faced more severe blind spots.
The incident also raised concerns about rural and low‑income communities where alternatives such as smartphone apps or social media may not be as widely used, making centralized alert platforms even more critical.
OnSolve and Crisis24’s Response: What We Know So Far
In a public statement, Crisis24 confirmed that its OnSolve CodeRED systems had been subjected to a cyberattack and that certain services were disrupted. Key elements of the early response included:
- Engaging external incident response and digital forensics teams
- Isolating affected systems to contain the attack
- Working with impacted agencies to implement temporary communication workarounds
- Coordinating with federal cybersecurity authorities, including CISA, where appropriate
The company has emphasized that restoring availability and verifying the integrity of its systems are top priorities. However, the partial nature of public disclosures has drawn criticism from some emergency managers who argue that:
- They need clearer technical details to assess their own risk exposure
- They require transparent timelines for full restoration and security hardening
- Residents deserve straightforward explanations about what went wrong
The CodeRED disruption is likely to be studied in future after‑action reports as a test case in vendor communication during cyber crises.
Part of a Larger Pattern: Cyberattacks on Critical Services
The attack on CodeRED is not an isolated event; it is part of a wider surge in cyber incidents targeting public services and critical infrastructure. Over the past few years, attackers have successfully hit:
- Healthcare systems and hospitals, delaying patient care
- Municipal governments, locking up records and billing systems
- Energy providers and pipelines, affecting fuel supplies
- Public school districts, disrupting learning and exposing student data
Research compiled by the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI’s Internet Crime Complaint Center (IC3) shows a consistent trend: attackers are shifting toward high‑impact targets where operational downtime translates quickly into leverage.
"Cyber threats are not just about data—they’re about our way of life, our safety, and our critical services."
— FBI Director Christopher Wray
Emergency alert platforms like CodeRED, IPAWS‑compatible tools, and other mass notification systems now sit firmly in the category of services that adversaries may see as strategic targets.
How Residents Can Protect Themselves When Alert Systems Go Down
While large‑scale defenses lie with vendors and governments, individuals and families can significantly reduce their risk by not relying on a single alert channel. Consider adopting a “multi‑layer alert strategy” at home:
1. Use Multiple Official Alert Sources
- Wireless Emergency Alerts (WEA): Ensure emergency alerts are enabled in your smartphone settings. These come directly from government authorities and are not tied to any single vendor platform.
- NOAA Weather Radio: A dedicated weather radio can continue to work even if cellular and internet services are disrupted. Devices such as the popular Midland WR120B NOAA Weather Radio can be programmed with your specific county codes.
- Local Apps and Websites: Many cities and counties run their own alert apps or use state‑level systems independent of CodeRED. Check your local emergency management office website for options.
2. Prepare Offline Backups
- Agree on an emergency meetup location with family and close friends.
- Keep a printed copy of critical phone numbers and local radio frequencies.
- Maintain a small emergency kit with flashlight, power bank, and a battery‑powered radio.
If you are building or upgrading an emergency kit, multi‑function devices such as the FosPower Emergency NOAA Weather Radio (which combines a radio, flashlight, and phone charger) can provide a resilient backup for digital alerts.
What Public Agencies Should Learn from the CodeRED Cyberattack
For emergency managers, IT leaders, and local officials, the CodeRED incident underscores the urgency of treating alert platforms as mission‑critical infrastructure. Several strategic actions stand out:
1. Map and Reduce Single Points of Failure
- Identify which alerts depend solely on third‑party platforms.
- Establish redundant channels—sirens, radios, alternate software, and mutual aid agreements with neighboring jurisdictions.
- Test failover procedures at least annually with full‑scale exercises.
2. Strengthen Vendor Due Diligence
Contracts with alert‑system vendors should explicitly address:
- Security controls and compliance frameworks (e.g., SOC 2, ISO 27001)
- Incident response timelines and communication obligations
- Data segregation, backup, and recovery time objectives
- Support for government standards such as FEMA’s IPAWS
Agencies can draw on guidance from NIST’s Cybersecurity Framework and CISA’s resilience resources to build stronger procurement and architecture requirements.
3. Communicate Honestly With the Public
During outages, residents value honesty more than perfection. Clear messaging should cover:
- What specific alert systems are impacted
- Which channels remain fully operational
- Where to find up‑to‑date information (websites, radio, social media)
- What steps are being taken to prevent similar incidents
Policy and Regulatory Implications: Will Standards Tighten?
The CodeRED cyberattack is likely to crystallize debates that have been simmering for years about how the U.S. regulates private vendors that support public‑safety communications. Questions gaining renewed urgency include:
- Should certain alert platforms be designated as critical infrastructure with enhanced oversight?
- Do agencies need minimum cybersecurity requirements to qualify for federal preparedness grants?
- Should there be mandatory transparency rules for cyber incidents affecting emergency communications?
Policy analysts expect that congressional hearings and government watchdog reports will look closely at the incident once full details emerge. White papers from think tanks such as the RAND Corporation and CSIS have already argued for clearer federal guidance on public‑private partnerships in emergency technology.
The Role of News Media and Social Platforms During the Outage
With CodeRED partially offline, many agencies quickly leaned on local broadcasters and social media platforms as backup megaphones. This shift highlighted both strengths and weaknesses of our modern information ecosystem.
Strengths
- Radio and TV stations can rapidly rebroadcast official information.
- City and county accounts on platforms like X (formerly Twitter) and Facebook can reach large audiences quickly.
- Journalists often provide crucial context and verification during fast‑moving events.
Weaknesses
- Algorithms may bury critical posts beneath non‑urgent content.
- Not everyone uses or trusts major social media platforms.
- Rumors and misinformation can spread faster than corrections.
Public figures who specialize in cybersecurity and emergency preparedness, such as Brian Krebs and CISA’s official X account, often act as amplifiers of verified information during these incidents, helping the public parse what is known and what remains speculation.
Staying Informed: Research, Tools, and Deeper Reading
For readers who want to dig deeper into the intersection of cyber risk and emergency communication, the following resources provide authoritative, regularly updated information:
- Ready.gov: Emergency Alerts – Official U.S. guidance on the major alerting systems and how to enroll in them.
- FEMA IPAWS Program – Technical and policy details on the Integrated Public Alert and Warning System used for WEA and EAS messages.
- CISA Ransomware and Cybersecurity Guides – Playbooks and best practices for defending critical public services.
- YouTube: FEMA – How Emergency Alerts Work – An accessible video overview of the alerting ecosystem.
- Academic analyses, such as NIST’s publications on critical infrastructure resilience, available via the NIST CSRC library.
Additional Insights: Building a Culture of Resilient Alerts
Beyond technology and policy, the CodeRED cyberattack points to a deeper challenge: cultivating a culture in which everyone—vendors, governments, and residents—sees emergency alerts as a shared responsibility.
For individuals, that means:
- Regularly checking that phone, app, and radio alerts are active and configured.
- Talking with family members about how information will be shared if systems fail.
- Following at least one trusted local news outlet and your local emergency management office on social platforms.
For organizations, it means:
- Embedding cyber risk into all continuity‑of‑operations planning.
- Running realistic exercises that simulate vendor outages—not just physical disasters.
- Sharing lessons learned with peer jurisdictions, rather than treating incidents as isolated embarrassments.
The CodeRED incident is a reminder that resilience is not a product you buy once—it is a habit, built over time, tested in real events, and continually refined. The more communities invest in that habit today, the less likely it is that the next cyberattack will turn into a full‑scale public safety crisis.
