A legacy file-transfer server has reached end-of-life (EOL) status, meaning the vendor no longer provides patches or security updates. To keep a critical application running, the server is placed on its own VLAN with no route to the public Internet. Which of the following statements BEST describes the residual security risk of leaving this EOL server in production?
Isolation from the public Internet eliminates all attack vectors, so no further mitigation is necessary.
Regular data backups remove any significant security concern associated with keeping the EOL server online.
The server remains vulnerable because new exploits will not be patched and threats like removable-media malware or insider abuse can still compromise it.
The only remaining risk is hardware failure; cybersecurity threats no longer apply once the server is air-gapped.
The server is still vulnerable because unpatched flaws can be exploited through vectors other than the public Internet. Malware can arrive on removable media or via lateral movement from an internal host, and insiders with physical or logical access can abuse the system. Because the vendor no longer releases fixes, any new vulnerabilities discovered will remain unpatched for the life of the device. Therefore, the risk persists despite network isolation, and additional compensating controls or migration are required.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'end-of-life status' mean in the context of hardware or systems?
Open an interactive chat with Bash
What are some common risks associated with using end-of-life systems?
Open an interactive chat with Bash
What can organizations do to mitigate risks from end-of-life systems?