Towns and cities across the US are without access to their CodeRED emergency alert system following a cyberattack on vendor Crisis24.
Various municipalities have issued near-identical advisories about the attack on the OnSolve CodeRED platform, now owned by Crisis24, which enables residents to receive real-time alerts for emergencies such as weather warnings, missing children, terror threats, and more.
In its warning about the situation to locals, the Sheriff's Office for Douglas County, Colorado, this week announced that it had terminated its CodeRED contract and that it was actively searching for a replacement.
The wording of similar disclosures made by other regions suggests that they will be sticking with Crisis24 as it works to bring a brand-new CodeRED platform online, which was being developed before the attack.
Crisis24 told customers that the new platform "resides on a non-compromised, separate environment," which has undergone "a comprehensive security audit" and "additional penetration testing and hardening."
"While the city's CodeRED account has been decommissioned, staff is working with the vendor to migrate to a new emergency alert platform," said the City of University Park, Texas.
"Please know that protecting your personal information is our highest priority, and we are committed to safeguarding your data by working with vendors who provide secure, reliable systems."
While they wait for the new platform to come online, most of the affected areas across
Source: https://www.theregister.com/2025/11/26/codered_emergency_alert_ransomware/
Crisis24 cybersecurity rating report: https://www.rankiteo.com/company/crisis24
"id": "CRI0000000112625",
"linkid": "crisis24",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'incident': {'affected_entities': [{'customers_affected': 'multiple US '
'municipalities '
'(e.g., Douglas '
'County, CO; '
'University Park, '
'TX)',
'industry': 'emergency '
'communication/alert systems',
'location': 'US',
'name': 'Crisis24 (formerly OnSolve)',
'size': None,
'type': 'private vendor'},
{'customers_affected': 'local residents '
'(CodeRED '
'subscribers)',
'industry': 'law enforcement/public '
'safety',
'location': 'Colorado, US',
'name': "Douglas County Sheriff's Office",
'size': None,
'type': 'government (county)'},
{'customers_affected': 'local residents '
'(CodeRED '
'subscribers)',
'industry': 'public administration',
'location': 'Texas, US',
'name': 'City of University Park',
'size': None,
'type': 'government (municipal)'}],
'customer_advisories': ['Douglas County, CO: terminated CodeRED '
'contract; seeking replacement',
'University Park, TX: awaiting new '
'platform migration'],
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': None,
'type_of_data_compromised': None},
'description': 'Towns and cities across the US lost access to '
'their CodeRED emergency alert system following a '
'cyberattack on vendor Crisis24 (formerly '
'OnSolve). The platform, used for real-time '
'alerts (e.g., weather warnings, missing '
'children, terror threats), was compromised, '
'prompting some municipalities (e.g., Douglas '
'County, Colorado) to terminate contracts, while '
'others await migration to a new, '
'pre-attack-developed platform hosted on a '
"'non-compromised, separate environment' with "
'enhanced security measures. Crisis24 assured '
'customers that protecting personal information '
'remains a priority.',
'impact': {'brand_reputation_impact': ['potential erosion of '
'trust in '
'Crisis24/OnSolve',
'municipalities seeking '
'alternative vendors'],
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': None,
'downtime': 'ongoing (as of disclosure; new platform '
'migration in progress)',
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': ['loss of emergency alert '
'capabilities for '
'municipalities',
'contract terminations (e.g., '
'Douglas County, CO)',
'vendor migration efforts'],
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': ['CodeRED emergency alert '
'platform']},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'ongoing (new platform deployment in '
'progress)',
'post_incident_analysis': {'corrective_actions': ['new platform '
'on isolated '
'environment',
'security '
'audits',
'penetration '
'testing'],
'root_causes': None},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': None,
'source': 'The Record (or original article '
'source)',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': ['municipal advisories to '
'residents',
'vendor updates to '
'customers'],
'containment_measures': ['decommissioning '
'compromised CodeRED '
'platform',
'migration to new, '
'non-compromised '
'environment'],
'enhanced_monitoring': None,
'incident_response_plan_activated': True,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': ['development of new CodeRED '
'platform (pre-attack '
'initiative)',
'customer migration support'],
'remediation_measures': ['comprehensive security '
'audit of new platform',
'penetration testing',
'hardening'],
'third_party_assistance': None},
'stakeholder_advisories': ['municipal warnings to residents '
'about disrupted alerts',
'vendor communications on migration '
'timeline'],
'title': "Cyberattack on Crisis24's CodeRED Emergency Alert "
'System Disrupts Services Across US Municipalities',
'type': ['cyberattack',
'service disruption',
'potential data breach']}}