Why EOL Hardware Is a Security Risk

No patches. No fix path. Known exploits in the wild.

Last reviewed 2026-05-22

Why attackers target EOL devices

EOL routers, firewalls, and switches sit at the network edge. They handle routing, access control, and VPN termination. Compromising one gives an attacker a persistent foothold that's invisible to endpoint detection, survives reboots (firmware-level implants), and won't be fixed by a vendor patch.

Automated scanning for known CVEs against EOL platforms is cheap and effective. The CVE is public, the affected firmware versions are documented, and the defender has no vendor-supported remediation. The attacker's economics are heavily favorable.

CISA KEV: proof it's not theoretical

CISA's Known Exploited Vulnerabilities catalog tracks CVEs that are confirmed actively exploited in the wild. Cross-referencing that catalog against this site's product database shows dozens of post-EOL products with active KEV entries — devices that cannot be patched against vulnerabilities that are being exploited right now.

The post-EOL security exposure page on this site lists them by vendor, with drill-in to specific SKUs and CVE IDs. Some are flagged as known ransomware vectors.

What you can do about it

Replace it. That's the only complete answer. Compensating controls — ACLs, network segmentation, IPS signatures — reduce exposure but do not eliminate it. They also require ongoing maintenance and monitoring that wouldn't be necessary if the device were replaced with supported hardware.

If replacement isn't immediate, isolate the device from direct internet exposure, restrict management-plane access, and monitor for indicators of compromise. But budget the replacement. Compensating controls are a bridge, not a destination.