Techbrunch 2 days ago

Depending on the target and the severity of the vulnerability the vendor might consider fixing the vulnerability even if EOL.

If the target is an IOT device the vulnerability will likely be mass exploited to create a botnet.

The U.S. government recently ‘took control’ of a botnet run by Chinese government hackers made of 260,000 Internet of Things devices... (Source: https://techcrunch.com/2024/09/18/u-s-government-took-contro...)

Reply View 0 replies
sidewndr46 2 days ago

If the device is explicitly past EOL what is the point anyways? Just to wait 60 days and hear they aren't going to do anything?

Reply View 4 replies
  • winnona 2 days ago

    not necessarily! If the 0day is bad enough the vendor may patch it or release further guidance - most recent case is Ivanti this week (https://cyberscoop.com/ivanti-vulnerability-cisa-kev/)

    Reply View 3 replies
    • slt2021 2 days ago

      likely used by vendor as sales strategy to upgrade device:

      we will give you patch for this EOL 0day, but this will be the last one. Please buy new version and btw here is 20% discount code, you are welcome

      Reply View 2 replies
      • GTP 2 days ago

        Still better than leaving devices unpatched. The end user still has the final word, can totally refuse to buy a new one if he/she doesn't think getting a new one is worth it.

        Reply View 0 replies
      • sidewndr46 2 days ago

        they could offer to send you a $15 grubhub gift card for your trouble

        Reply View 0 replies