The era of accumulating systemic debt is slowly coming to an end.
The problem of abandoned technologies at the edge of corporate networks is increasingly becoming a convenient entry point for attacks. Unsupported devices and software no longer supported by manufacturers remain in the infrastructure for years, giving attackers a chance to gain a foothold in the network and access sensitive data. According to researchers, edge devices with unpatched vulnerabilities are becoming an ideal entry point for malware operators.
The US Cybersecurity and Infrastructure Security Agency (CISA) reported that it regularly encounters incidents in which edge devices with expired support periods play a key role. The agency assesses that such components have become one of the most dangerous sources of systemic risks for federal networks and critical infrastructure, and that nation-state cyber groups have shown interest in them.
To mitigate the threat, CISA issued mandatory directive BOD 26-02 . It requires civilian federal agencies to identify and replace perimeter devices that are no longer supported, promptly install software updates, and patch known vulnerabilities. CISA also encourages a similar approach outside the federal sector.
At the same time, the agency, together with OASIS Open, is promoting OpenEoX, an international machine-readable standard that describes the product lifecycle , including the end-of-life point. The standard uses the JSON schema and is designed to integrate with existing approaches and formats, including SBOM and CSAF. The idea is to automate the exchange of support status data, simplify inventory, and more quickly identify technologies that are approaching or have already reached the end of their lifecycle.
The paper's authors, Chris Butera of CISA and Justin Murphy, who also chairs the OpenEoX technical committee at OASIS Open, believe that vendors should publish OpenEoX data openly and without barriers like paywalls and closed portals, and that developers of scanners and asset tracking platforms should implement support for the standard.
Organizations, for their part, are encouraged to incorporate such information into ongoing processes to proactively plan for the replacement of obsolete devices and promptly address critical issues with security updates.
The problem of abandoned technologies at the edge of corporate networks is increasingly becoming a convenient entry point for attacks. Unsupported devices and software no longer supported by manufacturers remain in the infrastructure for years, giving attackers a chance to gain a foothold in the network and access sensitive data. According to researchers, edge devices with unpatched vulnerabilities are becoming an ideal entry point for malware operators.
The US Cybersecurity and Infrastructure Security Agency (CISA) reported that it regularly encounters incidents in which edge devices with expired support periods play a key role. The agency assesses that such components have become one of the most dangerous sources of systemic risks for federal networks and critical infrastructure, and that nation-state cyber groups have shown interest in them.
To mitigate the threat, CISA issued mandatory directive BOD 26-02 . It requires civilian federal agencies to identify and replace perimeter devices that are no longer supported, promptly install software updates, and patch known vulnerabilities. CISA also encourages a similar approach outside the federal sector.
At the same time, the agency, together with OASIS Open, is promoting OpenEoX, an international machine-readable standard that describes the product lifecycle , including the end-of-life point. The standard uses the JSON schema and is designed to integrate with existing approaches and formats, including SBOM and CSAF. The idea is to automate the exchange of support status data, simplify inventory, and more quickly identify technologies that are approaching or have already reached the end of their lifecycle.
The paper's authors, Chris Butera of CISA and Justin Murphy, who also chairs the OpenEoX technical committee at OASIS Open, believe that vendors should publish OpenEoX data openly and without barriers like paywalls and closed portals, and that developers of scanners and asset tracking platforms should implement support for the standard.
Organizations, for their part, are encouraged to incorporate such information into ongoing processes to proactively plan for the replacement of obsolete devices and promptly address critical issues with security updates.
