The web Browser you are currently using is unsupported, and some features of this site may not work as intended. Please update to a modern browser such as Chrome, Firefox or Edge to experience all features Michigan.gov has to offer.
Cyber Snapshot - End Of Life / End of Support
Overview
A common security expression is that “the keys to the kingdom are often left on the floor next to the door.” This symbolism is most accurately reflected in organizations that operate hardware devices or use software applications that are unpatched or are at End of Life (EOL) or End of Support (EOS).
EOL refers to products that are no longer sold or maintained by the vendor, while EOS means the vendor no longer provides security patches, bug fixes, or technical assistance. Once products reach these stages, newly discovered vulnerabilities often remain permanently unpatched, creating opportunities for threat actors to exploit them.
Organizations that do not fully rely on cloud infrastructure are often responsible for tracking and managing hardware and internally. These assets are commonly deployed on-premises to support operations across multiple business areas. Small and medium-sized businesses, often defined as organizations with 250 employees or fewer, may face additional challenges maintaining accurate lifecycle management due to limited staffing and budget constraints.
Internet-facing devices present a particularly significant risk when they reach EOL or EOS status. Unsupported firewalls, Virtual Private Network (VPN) appliances, routers, and remote access systems are routinely targeted by attackers because they are directly accessible from the internet and often contain well-documented vulnerabilities. In many ransomware incidents, threat actors gain initial access through outdated perimeter devices that no longer receive vendor security updates or lack modern protections such as multi-factor authentication (MFA).
Oracle Legacy Cloud Breach
A recent example highlighting the risks associated with expired products and unpatched legacy systems is the Oracle Health cloud service breach. According to the HIPAA Journal [1], the attackers reportedly compromised outdated and obsolete Oracle cloud servers that were no longer receiving security patches or updates, impacting approximately 80 hospital systems nationwide.
This incident demonstrates how legacy infrastructure can introduce significant security risks when systems are not properly maintained or retired. Even within cloud-hosted environments, organizations remain dependent on vendors to maintain secure and supported infrastructure. When unsupported systems remain operational, attackers can exploit known vulnerabilities to gain unauthorized access to sensitive environments and data.
Ransomware Campaigns
In many cases, attackers specifically target legacy firewalls, VPN appliances, and remote access solutions because they frequently contain publicly disclosed vulnerabilities with readily available exploit code. Once threat actors gain access through these systems, they can move laterally across the environment, escalate privileges, deploy ransomware, and disrupt business operations.
According to Aspen Digital, threat actors routinely monitor public vulnerability disclosures, security forums, and Common Vulnerabilities and Exposures CVE databases to identify exploitable weaknesses [2]. They then scan internet-facing environments for vulnerable systems and launch attacks against organizations that have failed to maintain updated infrastructure. Unsupported systems are particularly attractive targets because security patches are no longer available, leaving organizations permanently exposed once a vulnerability becomes public.
Recommendations
Mitigating EOL and EOS risks begins with maintaining an accurate and up-to-date asset inventory [3]. Organizations should implement formal procurement, lifecycle management, and depreciation tracking processes to monitor outdated hardware, software, applications, licenses, and digital certificates.
Organizations should also establish formal processes for removing unsupported equipment and software from production environments once they reach EOL or EOS status. Legacy devices that cannot be upgraded should be isolated, segmented, or replaced whenever possible to reduce exposure to internet-based threats.
Internet-facing infrastructure should receive additional scrutiny because it is commonly targeted during initial intrusion attempts. Firewalls, VPN appliances, web servers, and remote access solutions should be regularly reviewed to ensure they remain vendor-supported, fully patched, and protected by strong authentication mechanisms such as MFA.
Expired or improperly managed digital certificates can also create operational and security risks. Attackers may exploit misconfigured certificate environments, weakened encryption settings, or user confusion caused by certificate warnings to facilitate phishing attacks or unauthorized access attempts. Maintaining certificate inventories and renewal processes helps reduce these risks.
Additionally, advances in artificial intelligence (AI) and automated scanning technologies have significantly accelerated attacker capabilities. Vulnerabilities that once took days or weeks to exploit are now frequently targeted within hours of public disclosure [4]. This shortens the response window for organizations operating unsupported or unpatched systems. It is recommended that organizations increase the frequency of patch windows to account for the rapid automation AI presents.
Sources
[1] Alder Steve. “80 Hospitals May Have Been Affected by the Oracle Health Data Breach.” HIPPA Journal, December 30, 2025.
[2] Wenger, Eric. “Lost Legacy: The Risk of ‘End-of-Life’ Technology.” Aspen Digital, February 19, 2026.
[3] CIS CIS Benchmarks® n.d
[4] Crowd Strike "CrowdStrike-2026-Global-Threat-Report.pdf" n.d, 2026
July 1, 2026
CS-02-2026