The US Federal Communications Commission (FCC) has extended the deadline for owners of banned internet routers to provide security updates to US-based users by two years.

In March 2026, the Commission banned the import and sale of all “consumer-grade” internet routers produced in a foreign country, citing “an unacceptable risk” to the national security of the US.

The ban meant that all such routers are now placed on the FCC’s covered list. The only exceptions include routers that have been granted a conditional approval by the US Department of Defense (DoD) or Department of Homeland Security (DHS).

Alongside the ban, the FCC also notified manufacturers of these banned routers in March that they could still ship security updates to US-based customers until March 2027.

In a new public notice, published on May 8, the Commission’s Office of Engineering and Technology (OET) now said it is extending this deadline until “at least” January 1, 2029.

This extension only applies to software and firmware updates that mitigate harm to US consumers.

“These include all software and firmware updates to ensure the continued functionality of the devices, such as those that patch vulnerabilities and facilitate compatibility with different operating systems,” the FCC public notice reads.

This means that suppliers of banned devices are not allowed to add new features via this mechanism.

The same extension applies to foreign-made drone systems and drone critical components, which were banned for sale in the US in December 2025.

Under‑managed network infrastructure, particularly unpatched and end‑of‑life routers, provide a foothold for attackers seeking persistent, low-visibility access into corporate environments.

This has been demonstrated by the China‑linked Volt Typhoon and Salt Typhoon campaigns in recent years.