900 old bugs, one answer: patch what's supported, retire what isn't
More than half the KEV catalog is pre-2025 legacy: old Windows, IE, Office, Flash, Java, Apache, and a sea of network gear. They're still listed because they're still exploited on the systems nobody updated. The legacy tier is huge, and its remediation is short.
The largest part of the Known Exploited Vulnerabilities catalog isn’t recent at all. Hundreds of entries are pre-2025 legacy bugs, old Microsoft Windows, Internet Explorer, and Office; Adobe Flash and Reader; Oracle Java and WebLogic; Apache Struts, Tomcat, and HTTP Server; a deep bench of Cisco IOS and consumer network gear; and a long mobile/browser back-catalog from Apple, Google, Android, Samsung, Qualcomm, and Mozilla. They’re still listed because they’re still being exploited, on the systems that never got updated. The legacy tier is enormous, and, remarkably, its remediation fits in a sentence: patch what’s still supported, retire what isn’t, and harden the few features that keep being abused.
The legacy tier is a measurement, not a museum
A KEV entry requires evidence of active exploitation. So a 2014 Windows bug or a 2016 Flash bug on the list isn’t there for completeness; it’s there because attackers are still landing it somewhere. As the Conficker/MS08-067 piece and the CentOS-EOL Linux piece argued, the age of a bug tells you when it was found, not whether it’s dangerous today. The legacy tier is a measurement of how much unpatched and end-of-life infrastructure is still on the wire.
The categories, and where each goes
Every legacy entry sorts into a pattern this series has already covered, with the same remediation:
- Old Windows EoP and SMB (the bulk of the Microsoft legacy): kernel and driver privilege escalations, EternalBlue-family SMBv1 RCE. Fix: patch supported Windows, disable SMBv1, retire EOL.
- Dead client runtimes and browsers: Internet Explorer, Adobe Flash, Oracle Java, Silverlight, the exploit-kit-era staples. Fix: remove the runtime you no longer need.
- Office and document RCE: Equation Editor, RTF/OLE, MSHTML. Fix: patch, and layer execution controls beyond macros.
- Browser and mobile zero-days (Apple/Chrome/Android/Samsung/Qualcomm/Mozilla/Arm): mostly targeted/spyware. Fix: fast auto-update, Lockdown Mode for high-risk users.
- Enterprise app servers and frameworks (Adobe ColdFusion, Oracle WebLogic, Apache Struts/Tomcat, SAP, IBM): mostly deserialization, traversal, and upload RCE. Fix: patch, lock down admin surfaces, retire unsupported versions; the ColdFusion and Tier-1 capstone mechanisms apply.
- Network, perimeter, and consumer gear (legacy Cisco, Citrix, Fortinet, Ivanti/Pulse, Palo Alto, Juniper, plus D-Link/Netgear/Zyxel and cameras): perimeter RCE/auth-bypass and IoT-botnet feedstock. Fix: patch, get management off the internet, replace EOL.
- Email and collaboration (Roundcube, Zimbra/Synacor, Zoho/ManageEngine, Atlassian): email/groupware-as-crown-jewel. Fix: patch fast, restrict exposure.
The program for the legacy tier
You don’t chase 900 legacy CVEs individually. You run three plays:
- Inventory and patch what’s supported. A current, fully-patched estate is immune to nearly the entire legacy tier; these bugs were all fixed years ago. The exposure is unpatched systems, so close the patch gap.
- Find and retire end-of-life everything. EOL operating systems, runtimes, appliances, and devices have no fix coming and are the natural home for legacy exploitation. Inventory by end-of-life date and replace ahead of it; isolate what you can’t replace yet.
- Disable the perennially-abused legacy features. SMBv1, dead browser plugins (Flash/Java/Silverlight), unused services, and internet-exposed management interfaces. Turning these off closes whole swaths of the legacy tier prospectively.
The reframe that closes out the catalog: the legacy backlog looks overwhelming as a list and is trivial as a policy. It’s the accumulated cost of unpatched and unretired infrastructure, and three disciplines, patch supported software, retire end-of-life, disable abused legacy features, neutralize almost all of it at once. The attackers keep these old bugs in their kit because they keep finding the systems that match. Make sure none of those systems are yours. We track the legacy entries as a single category, because the answer doesn’t change from one to the next: it was fixed long ago, so the only question is whether you’re still running something that never got the fix.
Sources
Share
Related field notes
-
Why a decade-old Silverlight bug is in a 2022 exploited-vulnerability list
The KEV catalog includes Microsoft Silverlight, Oracle Java, JBoss, and Outside In bugs from 2010 to 2016. They're there because the software is still running somewhere. For most of these, the fix isn't a patch, it's removing a runtime you stopped needing years ago.
-
The fix shipped in 2015. The CVE came in 2017. The deadline landed in 2024.
CVE-2017-1000253 is a Linux kernel privilege escalation that was already patched upstream two years before it got a CVE. It got a federal deadline the same year CentOS 7 died. 'Patched upstream' never meant 'patched on your box.'
-
The 2025 long tail: same six categories, eighty different products
Roundcube and TeleMessage email, Wing FTP and Commvault, Kentico and Adobe Commerce, WatchGuard and PRTG, Rockwell and Trimble ICS, Gladinet and Omnissa. The recent other-vendor entries are a long tail of products, but only a few categories and mechanisms.
One email, every weekday morning.
You're in. Check your inbox.