Somewhere in your network, there is probably a system that has not received security updates for months or years. It works, nobody complains — and that is precisely the problem. End-of-life software is one of the most common and simultaneously most underestimated security vulnerabilities in Swiss SME networks.<\/p>\n
End-of-life (EOL) means that the vendor no longer releases security updates. Every new vulnerability discovered in this software remains open forever. No patch, no fix, no help from the vendor. The software becomes a permanently open gateway for attackers.<\/p>\n
The list of recently discontinued or soon-to-expire products is long — and affects core infrastructure components found in virtually every SME.<\/p>\n
Extended support ended in October 2023. Nevertheless, numerous instances are still running in Swiss SMEs — often as file servers, print servers, or for specialised line-of-business applications. Without Extended Security Updates (ESU) from Microsoft, there are no more patches. And even the paid ESU programmes are time-limited.<\/p>\n
Mainstream support ended in January 2022; extended support runs until January 2027. That sounds like plenty of time — but migrations require planning, testing, and budget. Those who do not plan now will be forced to migrate under time pressure.<\/p>\n
PHP 7.4 reached its end-of-life in November 2022. PHP 8.0 followed in November 2023, PHP 8.1 in December 2025. Yet according to statistics, over 40 percent of all PHP websites still run on versions without active security support. In the Swiss SME landscape, where many websites are based on WordPress, Joomla, or custom PHP applications, the rate is similarly high.<\/p>\n
Exchange 2013 reached its end-of-life in April 2023. Exchange 2016 and 2019 follow in October 2025. Exchange servers are particularly critical because they are directly accessible from the internet and have repeatedly been the target of severe attacks in the past — ProxyLogon and ProxyShell are just the most well-known examples.<\/p>\n
OpenSSL 1.1.1 reached its end-of-life in September 2023. The library is used by countless applications and services for encrypted communication. Many appliances, embedded systems, and older Linux distributions still use OpenSSL 1.x — often without the administrator even being aware of it.<\/p>\n
Why are these systems still running? The reasons repeat themselves in every audit:<\/p>\n
“It still works.”<\/strong> The most dangerous argument in IT security. Functionality has nothing to do with security. A Windows Server 2012 that reliably serves files is still an open door for attackers.<\/p>\n Dependency on line-of-business applications.<\/strong> A specialised industry application only runs on Windows Server 2016. The vendor has discontinued development or charges high licence fees for an upgrade. So the old system stays.<\/p>\n No budget for migration.<\/strong> Migrating an Exchange server to Microsoft 365 or a current Exchange version costs time and money. As long as “nothing happens,” the budget is allocated elsewhere.<\/p>\n Nobody knows about it.<\/strong> In organically grown IT environments, it is easy to lose track. The Linux server that a former employee set up six years ago quietly hums along — running a PHP version that has not received updates for three years.<\/p>\n Attackers specifically seek out end-of-life software because they know that discovered vulnerabilities will never be patched. Their approach is systematic:<\/p>\n The Swiss Data Protection Act (nDSG), in effect since September 2023, requires “appropriate technical and organisational measures” to protect personal data. Operating software without security updates is difficult to argue as “appropriate” — especially when that software processes personal data.<\/p>\n In the event of a data breach, the question will be asked: “Could you have prevented the incident?” If the answer is “Yes, through an available and reasonable software update,” the liability question quickly becomes uncomfortable.<\/p>\n Particularly critical are:<\/p>\n The first step is systematic detection. Manually checking every individual system is time-consuming and error-prone. Automated vulnerability scanners can reliably identify end-of-life products — often discovering systems that nobody knew still existed.<\/p>\n Modern scanning platforms detect over 300 different EOL products and automatically compare installed versions against vendor lifecycle data. The result is a clear list: which software still has support? Which does not? How urgent is the migration?<\/p>\n Migrating away from EOL software does not have to be planned as a mammoth project. A pragmatic approach:<\/p>\n 1. Risk-based prioritisation:<\/strong> Systems that are accessible from the internet or process sensitive data have the highest priority. An internal print server without network access is less urgent than the public-facing web server.<\/p>\n 2. Compensating controls for the transition period:<\/strong> When immediate migration is not possible, network segmentation, strict firewall rules, and enhanced monitoring help reduce the risk. These measures do not replace migration but buy time.<\/p>\n 3. Consider cloud migration:<\/strong> For many services — particularly email and file storage — switching to cloud services is often cheaper and more secure than a local upgrade. Microsoft 365 instead of on-premises Exchange, SharePoint Online instead of a Windows file server.<\/p>\n 4. Challenge line-of-business applications:<\/strong> If a specialised application is the sole reason for an outdated operating system, the conversation with the software vendor must be had. Often there are migration paths that were not communicated — or alternatives on the market.<\/p>\n 5. Plan budgets long-term:<\/strong> IT lifecycles are predictable. If Windows Server 2016 reaches its end-of-life in January 2027, the budget needs to be planned for 2026 — not in December 2026.<\/p>\n New software constantly reaches its end-of-life. What is current today may be without support in 12 months. That is why a one-time check is not enough. Regular automated scans ensure that newly added or newly discontinued software is detected immediately.<\/p>\n End-of-life software is not a theoretical risk. It is a concrete, measurable weak point that attackers actively exploit. The good news: EOL software is detectable, and remediation is plannable. All it takes is the willingness to look — and the right tools to maintain oversight.<\/p>\n ExposIQ automatically detects over 300 end-of-life products and clearly shows which systems in your network are running without security support. Combined with CVSS, EPSS, and KEV scoring, you immediately see where the greatest risk lies. Swiss hosting, nDSG-compliant, from CHF 99 per month. Learn more at exposiq.ch<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Somewhere in your network, there is probably a system that has not received security updates for months or years. It works, nobody complains — and that is precisely the problem. End-of-life software is one of the most common and simultaneously most underestimated security vulnerabilities in Swiss SME networks. End-of-life (EOL) means that the vendor no … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"rank_math_focus_keyword":"end of life software sme","rank_math_title":"End-of-Life Software: The Ticking Time Bomb in SME Networks","rank_math_description":"Windows Server 2012, PHP 7.x, Exchange 2013 \u2013 EOL software without patches is one of the biggest risks in SME networks. How to detect and fix the problem.","rank_math_robots":"","rank_math_canonical_url":"","rank_math_primary_category":"","footnotes":""},"categories":[8],"tags":[],"class_list":["post-1156","post","type-post","status-publish","format-standard","hentry","category-it-sicherheit","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-33"],"_links":{"self":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/posts\/1156","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/comments?post=1156"}],"version-history":[{"count":0,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/posts\/1156\/revisions"}],"wp:attachment":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/media?parent=1156"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/categories?post=1156"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/tags?post=1156"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}The Real Risk: What Attackers Do with EOL Software<\/h2>\n
\n
nDSG Implications: Legal Risks<\/h2>\n
\n
Detecting EOL Software: The Inventory as Foundation<\/h2>\n
Migration Strategies for SMEs<\/h2>\n
Continuous Monitoring Instead of a One-Time Check<\/h2>\n
Conclusion<\/h2>\n