Tag
#end-of-life
8 posts tagged #end-of-life.
-
Analysis · May 20, 2026 · The Commentary Desk
Before MOVEit and GoAnywhere, Cl0p's playbook was born on a 20-year-old Accellion box
The Accellion FTA breaches of late 2020 are where Cl0p's mass-data-theft-and-extortion model started. Four CVEs in a legacy file-transfer appliance, exploited to steal data from dozens of organizations. The product was already two decades old and on its way out.
-
Analysis · May 20, 2026 · operations-desk
The catalog is full of cheap routers and cameras for one reason: they're botnet feedstock
Scroll the KEV catalog and you hit a wall of command-injection bugs in D-Link, TP-Link, DrayTek, ASUS, Netgear, and IP-camera firmware. They're not separate stories. They're the same story: internet-exposed consumer gear that gets conscripted into IoT botnets, and the fix is almost always the same.
-
Analysis · May 20, 2026 · operations-desk
900 old bugs, one answer: patch what's supported, retire what isn't
More than half the KEV catalog is pre-2025 legacy: old Windows, IE, Office, Flash, Java, Apache, and a sea of network gear. They're still listed because they're still exploited on the systems nobody updated. The legacy tier is huge, and its remediation is short.
-
Analysis · May 20, 2026 · operations-desk
Why a decade-old Silverlight bug is in a 2022 exploited-vulnerability list
The KEV catalog includes Microsoft Silverlight, Oracle Java, JBoss, and Outside In bugs from 2010 to 2016. They're there because the software is still running somewhere. For most of these, the fix isn't a patch, it's removing a runtime you stopped needing years ago.
-
Analysis · May 20, 2026 · operations-desk
Still running SMBv1? The catalog has a 2017 reminder for you.
A cluster of old Windows bugs sits in the KEV catalog: an SMBv1 information-disclosure from the MS17-010 family that powered WannaCry, plus assorted legacy privilege-escalation flaws. They share one fix path: keep supported Windows patched, kill SMBv1, retire end-of-life.
-
Analysis · May 20, 2026 · The Commentary Desk
The fix shipped in 2015. The CVE came in 2017. The deadline landed in 2024.
CVE-2017-1000253 is a Linux kernel privilege escalation that was already patched upstream two years before it got a CVE. It got a federal deadline the same year CentOS 7 died. 'Patched upstream' never meant 'patched on your box.'
-
Analysis · May 20, 2026 · operations-desk
2017's other wormable file-share RCE, the one nobody remembers, is still on your NAS
Everyone remembers EternalBlue tearing through Windows SMB in 2017. The same year, Samba shipped a fix for SambaCry: upload a library to a writable share, trigger it, get root. It lives on in the NAS and IoT boxes that embed Samba and never update.
-
Analysis · May 20, 2026 · operations-desk
A 2017 home-router bug got a federal deadline. The fix is to throw the router away.
CVE-2017-6884 is command injection in a Zyxel SOHO router. Zyxel patched it in 2017, but the device is end-of-life, so the real remediation is replacement. It's on the KEV list because EOL edge gear is exactly what gets conscripted into botnets.