OnSolve CodeRED Cyberattack: Systemic Failure in Critical Public Safety Infrastructure

A significant cyberattack has forced the permanent shutdown of the OnSolve CodeRED emergency notification platform, disrupting a critical service relied upon by over 10,000 U.S. municipalities for alerts ranging from tornado warnings to AMBER alerts¹. The incident, attributed to the INC Ransom group, represents a systemic failure in a FedRAMP-authorized platform and has resulted in a confirmed data breach of resident information². This event exposes profound vulnerabilities in nationally certified critical infrastructure and has prompted a chaotic migration to a new platform, creating a dangerous gap in public safety coverage.

The attack, first detected around November 10-11, 2025, compromised the legacy OnSolve CodeRED environment to such an extent that the parent company, Crisis24, made the drastic decision to decommission it entirely¹. The disruption left police departments, fire agencies, and local governments scrambling to implement contingency plans, often relying on FEMA’s Integrated Public Alert and Warning System (IPAWS), social media, and local news outlets to disseminate critical information³. The failure of communication and service has led several public safety agencies, including the Douglas County Sheriff’s Office in Colorado, to terminate their contracts with OnSolve “for cause”⁴.

Technical Compromise and Data Exposure

The threat actor behind the attack, the INC Ransom group, has claimed responsibility for the compromise². The breach resulted in the confirmed exfiltration of personal data belonging to residents who had registered for alerts. According to official communications from affected municipalities, the stolen data includes names, physical addresses, email addresses, phone numbers, and the associated passwords stored in the system⁵. OnSolve has stated that no financial data was stored within the compromised platform. The exposure of this personally identifiable information (PII) combined with password data significantly increases the risk of credential stuffing attacks and targeted phishing campaigns against affected individuals.

The extent of the damage to the platform’s infrastructure necessitated its complete retirement. Official statements relayed by municipalities, such as the City of Melbourne, Florida, indicate that the attack was “strictly contained within the OnSolve CodeRED environment” and that the new “CodeRED by Crisis24” platform is being built on a separate, non-compromised environment with a new security audit⁶. This suggests a containment strategy that involved physically and logically segmenting the new service from the compromised legacy systems to prevent any potential lateral movement or reinfection from persistent threats.

Systemic Vulnerabilities in Certified Infrastructure

A particularly alarming aspect of this incident is the compromise of a platform that had achieved FedRAMP authorization in May 2023². The FedRAMP (Federal Risk and Authorization Management Program) authorization process involves a rigorous security assessment, including evaluations from agencies like the Department of Defense and the Department of Homeland Security. The fact that a certified platform suffered a catastrophic compromise less than three years later raises fundamental questions about the efficacy of compliance frameworks in the face of determined threat actors and the real-world security of government-trusted cloud services.

The attack exposed several systemic vulnerabilities beyond a simple technical breach. The reliance of over 10,000 jurisdictions on a single platform created a massive single point of failure, demonstrating a critical concentration risk in the nation’s public safety apparatus². Furthermore, the incident highlighted a failure in crisis communication, with many customers reporting a lack of proactive and transparent updates from the provider during the outage. This communication breakdown impaired the ability of local agencies to manage public expectations and implement their own incident response plans effectively.

Contingency Measures and Public Safety Fallout

The immediate operational impact forced a swift reliance on backup systems. Notably, FEMA took the proactive step of disconnecting alerting authorities that used CodeRED from the national IPAWS system to protect its integrity³. This action, while prudent for national security, further complicated the situation for local jurisdictions by removing one potential redundant channel. The cascading effects of the outage demonstrate the fragile interdependencies within national alerting infrastructure and the need for truly independent redundant systems.

The ongoing migration to the new “CodeRED by Crisis24” platform introduces a significant and immediate public safety risk. A key challenge identified by multiple sources is that all end-users may be required to manually re-register for alerts on the new system⁵. This requirement creates a massive potential coverage gap, as residents unaware of the migration will not receive critical life-safety warnings. Public safety officials are now faced with the daunting task of launching public awareness campaigns to ensure their communities re-subscribe, a process that could leave millions unprotected in the interim.

Security Implications and Recommended Actions

For security professionals, this incident serves as a stark case study in third-party risk management and the security of critical infrastructure. The compromise of a FedRAMP-authorized provider suggests that compliance should be viewed as a baseline, not a guarantee of security. Organizations that rely on such providers must conduct their own continuous risk assessments and ensure they have viable, tested fallback procedures that do not depend on the primary vendor’s infrastructure.

The confirmed data breach necessitates specific actions for impacted individuals. Cybersecurity experts and local authorities are urging residents who had CodeRED accounts to immediately change the passwords they used for that service, especially if the same credentials are used elsewhere⁵. They should also enable multi-factor authentication on other critical accounts and remain vigilant for phishing emails and smishing texts that leverage the stolen contact information. Monitoring local government channels for instructions on re-registering for the new alert system is also critical.

The OnSolve CodeRED cyberattack is more than an isolated security incident; it is a failure of a critical national public safety system. It exposes the risks of vendor consolidation in essential services and challenges the assumption that compliance certifications equate to robust security. The event will likely trigger reviews of federal oversight for critical infrastructure vendors and force municipalities to re-evaluate their dependency on single-source providers for mission-critical functions. The race is now on to migrate users to the new platform and close the public safety gap before the next emergency strikes.