Legacy systems, meaning software and hardware that has reached end of support and no longer receives security patches, exist in almost every enterprise environment. They persist for understandable reasons: the cost and complexity of migration, dependencies on applications that cannot run on modern platforms, and operational risk aversion in environments where downtime is expensive.
The security implications are significant and permanent. A system running an operating system no longer supported by its vendor will not receive patches for newly discovered vulnerabilities. Every CVE published after end-of-support adds to a growing list of known, unpatched exposures that cannot be resolved through normal patch management.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
“Legacy systems create a category of permanent risk that organisations often accept without fully understanding the implications. When we find Windows Server 2003 or XP in a production environment during an internal assessment, it changes the entire risk conversation. These are not just unpatched systems. They are systems for which patches no longer exist.”
Why Legacy Systems Persist
Operational technology environments are particularly prone to legacy system accumulation. Industrial control systems, manufacturing equipment, and medical devices often run embedded software that has not been updated since deployment. The vendor may no longer exist. The software may be inseparable from the hardware it controls. Migration requires equipment downtime that operations cannot accommodate.
Business applications present a different challenge. A critical finance or ERP system running on an unsupported database or operating system may have been customised extensively. Migrating it to a modern platform is a significant project that competes for budget and resource against other priorities. It gets deferred, repeatedly, until the legacy system is a decade old and the risk is substantial.
The Attacker’s View
Internal network penetration testing that discovers legacy systems changes the risk profile of the engagement immediately. Exploit code for vulnerabilities in unsupported systems is often publicly available, reliable, and well-understood. Testers can frequently demonstrate domain compromise through a single unpatched legacy system.
Lateral movement through a network that contains legacy systems is easier than through a uniformly patched, modern environment. An attacker who gains a foothold on a modern system and discovers legacy systems on the same network segment has a reliable path to further access.
Managing Legacy Risk Pragmatically
Where migration is not immediately achievable, compensating controls reduce the risk. Network segmentation isolates legacy systems so that compromise does not automatically provide access to the broader network. Monitoring increases the probability of detecting attacks against isolated legacy systems.
Vulnerability scanning services identify end-of-life software and hardware across your environment, giving you a complete picture of your legacy exposure. That inventory is the prerequisite for a credible risk management plan.
The conversation around legacy systems is ultimately a business risk conversation. The technical team can identify and quantify the exposure. The decision about remediation timeline and acceptable risk sits with business leadership, informed by clear information about what the exposure actually means.