Hardware and software that have reached End-of-Life: How to Avoid the Security Risks of Using Outdated Programs and Devices
Table of Contents
Companies must update their programmes and devices and stop using hardware and software that have reached End-of-Life to prevent attacks
How many programs and devices have been developed over the last few decades? It’s impossible to calculate, but we would certainly need a few zeros to come up with an approximate number.
As with any product or service, software and hardware are not infinite. At some point, the companies that develop them stop providing technical support and designing and implementing security updates.
That is why hardware and software that have reached End-of-Life (EOL) pose a major risk to businesses.
Without going any further, at the beginning of the year, Microsoft announced that in October 2025, it would stop supporting Office applications on Windows 10, meaning that businesses and citizens should already have Windows 11 on their computers.
In response to the commotion and concern caused, the company announced that it would continue to release security updates for Microsoft 365 on Windows 10 until 2028.
However, the company reminds us that support for Windows 10 computers ends on October 14, 2025, and that security updates will only be available until October 14, 2026, through the Extended Security Updates (ESU) program.
Similarly, SAP, a leading ERP development company, announced that its Business Suite 7 applications would no longer be updated, but has extended the period to offer support to its customers, especially those who sign an agreement to upgrade to the Cloud version of the ERP.
This news highlights the importance of companies not working with hardware and software that have reached End-of-Life (EOL). Otherwise, they may become easy targets for malicious actors.
Malicious actors have set their sights on software that has reached End-of-Life
Detecting and exploiting vulnerabilities in software that has reached End-of-Life is much easier than doing so in continuously updated programs that have had the relevant security patches implemented.
Cybersecurity is one of the fastest-changing sectors. Hostile actors are relentless in their efforts to develop innovative techniques, tactics, and procedures that enable them to achieve their goals.
In fact, vulnerabilities are often present in outdated versions of software, and remedying them simply requires updating the programs to versions that already have the relevant security patches that mitigate these weaknesses.
For example, a recent report points out that four of the 12 vulnerabilities most exploited by hostile actors in 2024 were not only not zero-day vulnerabilities, but had been published several years earlier.
In addition, malicious actors also focus their attention on software that is about to stop receiving security updates. Thus, at the end of last year, there was active exploitation of a critical vulnerability in Palo Alto Networks Expedition, a tool used to migrate customers to other providers. Palo Alto had reported that this program would reach its end of life in January.
Unprotected against new vulnerabilities
Using software that has reached End-of-Life in businesses not only means that improvements to programs that could be useful to companies are no longer incorporated, but above all, it means that their security measures are not adapted to deal with new vulnerabilities that are made public.
In a context where hostile actors are constantly innovating their techniques, tactics, and procedures, companies cannot afford to use obsolete programs that are vulnerable to the most advanced TTPs.
It is estimated that two out of three companies use software that has reached End-of-Life and therefore do not receive security updates from developers.
What is the consequence of this? Companies may be significantly exposed to serious cyberattacks that threaten their business continuity and cause significant economic, reputational, and competitive losses.
WannaCry: Warning to users about using software that has reached End-of-Life
One of the most important cyber hygiene rules that all companies must follow is to install security updates released by developers as quickly as possible. The problem with software that has reached End-of-Life is that these updates are no longer released.
Although eight years have passed, the devastating effect of WannaCry, a massive ransomware attack that affected thousands of computers worldwide and was successful by exploiting a vulnerability in the Windows operating system, is still remembered.
Although the company had already released a security patch to address the vulnerability, no update had been released for obsolete Windows operating systems such as XP, 8, or Windows Server 2003.
Outdated hardware is also dangerous
Software that has reached End-of-Life is not the only serious security risk for companies. Companies’ technological infrastructure is made up of a large number of devices: computers, mobile phones, routers, etc.
Just a few days ago, the FBI warned that cybercriminals were actively exploiting a dozen End-of-Life Linksys routers to build proxy networks that allow them to hide their digital footprints when carrying out their malicious activities.
How can this threat be addressed? The FBI strongly recommended that organizations actively replace their obsolete routers.
SMEs, large companies, public administrations… The use of hardware and software that have reached End-of-Life is more common than we think
When we think about which companies are most likely to be affected by the use of hardware and software that have reached End-of-Life, we might think that SMEs are most at risk. Why?
Many of them do not have IT teams or cybersecurity strategies that focus on continuously updating corporate programs and devices.
However, large companies and public administrations are not safe either.
For example, at the end of last year, the US Cybersecurity & Infrastructure Security Agency (CISA) alerted other government agencies that Ivanti’s secure communications software, CSA 4.6, was at the end of its useful life and was no longer receiving security patches. In addition, a vulnerability in the program was being actively exploited. The solution? Switch to CSA 5, which no longer contains this vulnerability.
Beyond the fact that some organizations do not monitor the software and hardware they use, the truth is that the use of End-of-Life devices and software involves the financial outlay of replacing them.
As a result, some companies decide to delay the purchase of new devices or the contracting of software with technical support for as long as possible.
What is the obvious problem with this strategy? The financial cost of dealing with a cyberattack and the economic repercussions it can have for a company are significantly higher than the expense of using hardware and software for which security patches are still being designed.
To all this, we must add a reason why some organizations continue to use hardware and software that have reached End-of-Life, which seem minor, but is not: resistance to change. This is especially true when it comes to the use of business software.
Company staff are traditionally reluctant to change. Working with new programs or significantly different versions involves a learning curve that many professionals find very difficult.
BYOD policies make it difficult to control hardware and software that have reached End-of-Life
Since the fight against the pandemic, the implementation of Bring Your Own Device (BYOD) policies in companies has accelerated. This allows employees to use personal devices and the applications accessible from them to carry out professional tasks.
For companies, BYOD policies can mean significant savings, as they do not have to provide corporate devices to their employees. Consider, for example, the cost to an organization of giving a mobile phone to each employee.
However, this means that the number of devices and applications that need to be controlled increases and that some employees may be using hardware and software that have reached End-of-Life to carry out their daily tasks.
That’s why organizations with BYOD policies need to have Mobile Device Management (MDM) software that allows them to set restrictions on personal devices, keep track of all equipment and applications used within the organization, and detect hardware and software that have reached End-of-Life before hostile actors can exploit it.
Security audits and vulnerability management: two essential services for preventing cyberattacks against software that has reached End-of-Life
Beyond what we have pointed out, what can companies do to prevent the exploitation of vulnerabilities in hardware and software that have reached End-of-Life?
- It is essential to carry out continuous security audits across the entire corporate technology infrastructure to identify vulnerabilities and hardware and software nearing End-of-Life.
- Vulnerability management is critical, as it allows companies to have an inventory of assets, classify them, and identify those responsible for them. In addition, this cybersecurity service makes it possible to monitor the security status of assets and know which devices and programs are obsolete or nearing the end of their life cycle. It is also possible to manage known vulnerabilities that may affect all assets, including End-of-Life software and hardware, and to develop a strategy to:
- Prioritize vulnerability mitigation.
- Replace obsolete equipment and programs in accordance with the company’s financial situation.
- Having an emerging vulnerability service allows you to assess new high-impact vulnerabilities present at the perimeter of the organization.
In short, using hardware and software that have reached End-of-Life poses a serious security risk to businesses, as obsolete devices and programs no longer receive security updates and are exposed to vulnerabilities.
It is therefore critical that companies monitor the security of all their hardware and software and take steps to replace devices and programs before developers stop releasing security patches.