The U.S. found no evidence that flaws in Dominion voting machines were ever exploited, including in the 2020 election, according to a new bulletin released Friday by the Cybersecurity and Infrastructure Security Agency.

“While these vulnerabilities present risks that should be mitigated as soon as possible, CISA has no evidence that these vulnerabilities have been exploited in any elections,” the advisory reads. 

In a statement Friday, CISA Director Jen Easterly wrote, “Over the past week, we’ve been working with election officials on information regarding vulnerabilities affecting certain versions of Dominion Voting Systems’ software.” She continued, “Today, we are releasing this information publicly.”

The bulletin — circulated among state election officials earlier this week and publicly shared online, Friday — marks the first time CISA has used its vulnerability disclosure program to probe voting machines. The program, first established in 2019, has examined and disclosed hundreds of vulnerabilities in both commercial and industrial use, flagged by researchers across the country and world. 

According to Easterly, CISA is “closely engaged with election officials across the country to help them address these vulnerabilities by applying the mitigations recommended in the advisory.” 

CISA has identified nine flaws within certain versions of Dominion Voting Systems ImageCast X software. The flaws, some of which stem directly from machine design, are fairly technical and would likely require any perpetrator to have direct, physical access to voting devices and/or other equipment polling management equipment. 

The CISA advisory, previously reported by the Washington Post, recommends several mitigation measures for states using the voting machines to detect or prevent exploitation of identified vulnerabilities.

The director noted in her statement that many of CISA’s recommended mitigations “are typically standard practice in jurisdictions where these devices are in use” and “are able to detect exploitation of these vulnerabilities and in many cases would prevent attempts entirely if diligently applied, making it very unlikely that a malicious actor could exploit these vulnerabilities to affect an election.”

The advisory also points out that there are a number of barriers to taking advantage of the flaws in the voting machines.

“Exploitation of these vulnerabilities would require physical access to individual ImageCast X devices, access to the Election Management System (EMS), or the ability to modify files before they are uploaded to ImageCast X devices,” the advisory outlines. “Jurisdictions can prevent and/or detect the exploitation of these vulnerabilities by diligently applying the mitigations recommended in this advisory, including technical, physical, and operational controls that limit unauthorized access or manipulation of voting systems.” 

In one flaw identified by CISA, “the authentication mechanism used by voters to activate a voting session on the tested version of ImageCast X is susceptible to forgery,” according to the advisory. “An attacker could leverage this vulnerability to print an arbitrary number of ballots without authorization.”

The ImageCast X voting machine enables voters to choose their preferred candidates on a touch screen and then print a paper record, similar to what voters did in Georgia during the election of 2020. But the device can also be utilized as a purely electronic voting machine, without paper ballots. 

Dominion voting systems, a manufacturer of voting machines used in 28 states, fell into the spotlight following the 2020 election after supporters of former president Donald Trump claimed without evidence that such machines were used to tamper with ballots or rig results in claims debunked by fact-checkers. Top election officials — including Georgia’s Republican secretary of state and governor — repeatedly insisted there was no evidence of breaches or changed election results. A Georgia judge previously dismissed a lawsuit alleging voter fraud in the 2020 election. 

In January 2021, Dominion filed a $1.3 billion defamation lawsuit against attorney Sidney Powell, citing her repeated allegations that the company changed votes for Trump to votes for Biden. The company has also sued former Trump campaign advisor Rudy Giuliani for making similar statements. Litigation remains ongoing.