Security & Compliance Intelligence

Why Your EOL Risk Score Is
the Most Important Number in Your Security Stack

Published May 23, 2026 · endoflife.ai · 14 min read

Your stack has a risk score. You just haven't been measuring it.

Every piece of software running in your production environment has an end-of-life date. The moment that date passes, the vendor stops issuing security patches. CVEs keep getting discovered. Exploits keep getting developed. Your software stops getting fixed.

That's not a hypothetical. That's a scheduled event — and it's on a calendar you can look up right now.

The EOL Risk Score™ puts a 0–100 number on that risk for every product and version tracked on endoflife.ai. This article explains what it measures, why each factor matters, how it maps directly to SOC 2, ISO 27001, and PCI DSS compliance requirements, and what the documented consequences look like for organizations that ignore it.

What the EOL Risk Score Actually Measures

The EOL Risk Score™ is a 0–100 composite score calculated at build time for every product and version tracked on endoflife.ai. It is not a CVSS score — it is a lifecycle risk score. It answers a different question: not "how severe is this specific vulnerability" but "how much accumulated, unresolvable risk is this software carrying right now?"

Four factors combine into the final score:

40 pts
EOL Recency
How long since the version hit end of life. Scales with time — the older the EOL date, the higher the penalty. Months of unpatched CVE accumulation, quantified.
30 pts
Attack Surface
How broadly deployed and internet-facing the software typically is. Node.js and PHP score 30/30. A niche internal tool may score 10/30. Same EOL date, different real-world exposure.
20 pts
CISA KEV Exposure
Whether known actively exploited vulnerabilities exist for this product in the CISA Known Exploited Vulnerabilities catalog. Not theoretical — documented active exploitation in the wild.
10 pts
Extended Support
Whether paid extended lifecycle support is available from a third-party vendor. A score of 10/10 means a safety net exists. Zero means there is no patch path whatsoever.

Score bands:

76–100
Critical
51–75
High
26–50
Medium
0–25
Low
A score of 0 doesn't mean safe It means low risk right now. Every supported version is accumulating risk on a known, published timeline. The score for Node.js 22 is 50 Medium today. On April 30, 2027 — with no change to your infrastructure — it becomes 90 Critical. The date is on the calendar.

Why Each Factor Was Chosen

EOL Recency — 40 points

This is the heaviest factor and deliberately so. The longer software has been past its end-of-life date, the more CVEs have been disclosed with no patch path. PHP 7.4 hit EOL in November 2022. By May 2026 that's 42 months of unpatched vulnerability accumulation. Every CVE discovered against PHP 7.4 since November 2022 will never receive an official fix. Not delayed — never.

The recency score scales with time past EOL. A version that hit EOL yesterday scores differently than one that hit EOL three years ago. This reflects reality: attackers track EOL dates. Once a product hits end of life, the research community continues finding vulnerabilities but the vendor stops fixing them. The asymmetry grows with time.

Attack Surface — 30 points

Not all EOL software carries the same exposure. A niche internal tool running on an air-gapped system carries different risk than a web-facing runtime handling public traffic. The attack surface factor accounts for how broadly a product is deployed, how internet-facing it typically is, and how attractive it is as an attack target.

Node.js, PHP, Python, Apache, nginx — these score 30/30 because they are the foundation of internet-facing infrastructure at scale. A proprietary internal scheduling tool might score 10/30. Same EOL date, wildly different real-world exposure.

CISA KEV Exposure — 20 points

The Cybersecurity and Infrastructure Security Agency maintains the Known Exploited Vulnerabilities catalog — a curated list of CVEs that have been actively exploited in the wild. Not theoretically vulnerable. Actively exploited, right now, in documented incidents.

If a product has entries in the CISA KEV catalog, the threat is not academic. Organizations running that product with no patch path are operating with open wounds that attackers have already demonstrated they know how to exploit. The score reflects this urgency.

Extended Support Availability — 10 points

Running past EOL doesn't have to mean running without patches. Specialist vendors provide extended lifecycle support for Linux distributions and other products. If a migration isn't yet possible, a mitigation exists.

This factor rewards products where the risk can be actively managed even past EOL. It also helps compliance teams document a compensating control — "we are running past EOL but under a paid extended support contract that provides continued security patches" is a defensible position with auditors. "We are running past EOL with no patches and no plan" is not.

Real Score Examples Across the Stack

Product EOL Date Score Band Primary Driver
PHP 7.4 Nov 2022 90 Critical 42+ months EOL, max surface, CISA KEV entries
Python 3.8 Oct 2024 88 Critical 19+ months EOL, max surface, active CVEs
Node.js 18 Apr 2025 85 Critical 13+ months EOL, max surface, CISA KEV entries
Ubuntu 20.04 Apr 2025 85 Critical OS-level exposure, 13+ months unpatched
Spring Framework 5.3 Aug 2024 82 Critical Enterprise Java surface, CVE history
Node.js 22 Apr 2027 50 Medium Supported — but high surface already baked in
Go 1.24 Feb 2027 20 Low Supported, smaller surface, extended support available

The difference between PHP 7.4 at 90 and Go 1.24 at 20 isn't just the EOL date. It's the combination of how long it's been unsupported, how exposed it is in typical deployments, and whether active exploits exist in documented incidents. Two products at the same EOL date can score very differently.

The Stack Risk Problem Nobody Talks About

Here's what most security tools miss: your stack's risk level is set by your weakest component, not your strongest.

A team running Node.js 22 (Score: 50 Medium) on Ubuntu 20.04 (Score: 85 Critical) isn't a Medium-risk environment. They're a Critical-risk environment that happens to have a current application runtime. The OS is the foundation. If it's compromised, nothing above it matters.

The same logic applies throughout the stack:

The Stack Scanner at endoflife.ai evaluates your full stack, not individual components in isolation. The score that matters is the highest one — because that's the one your attacker will find first.

How EOL Risk Maps to Compliance Frameworks

This is where the conversation changes for CISOs and compliance teams. EOL software isn't just a technical problem. It is a documented control failure in every major security framework — and auditors are trained to find it.

SOC 2 — Trust Service Criteria
Security Criterion CC7.1 — Vulnerability Management

SOC 2 evaluates organizations against five Trust Service Criteria. The Security criterion — the only mandatory one — includes CC7.1, which requires the organization to detect and monitor for vulnerabilities in its environment. Running EOL software with no patch path is a vulnerability by definition — one that cannot be remediated without migration or extended support.

Auditors performing a SOC 2 Type II examination will review your patch management program. "We are running PHP 7.4" is not a response that satisfies CC7.1 without a documented exception and a dated remediation plan. If they find EOL software without that documentation, it is a finding. Enough findings and your report comes back qualified.

Practical consequence: Enterprise procurement now treats a qualified SOC 2 opinion the same way they treat a failed credit check. You lose the deal.
ISO 27001 — Information Security Management
Annex A.12.6.1 — Management of Technical Vulnerabilities

ISO 27001 Annex A control A.12.6.1 explicitly requires organizations to obtain information about technical vulnerabilities in a timely manner, evaluate their exposure to such vulnerabilities, and take appropriate action to address the associated risk. Running software past its vendor-published end-of-life date with no compensating control is a textbook nonconformity under A.12.6.1.

ISO 27001 certification audits are conducted by accredited certification bodies. A nonconformity found during a surveillance audit can result in suspension of your certificate. More broadly, the certification body expects you to demonstrate a systematic approach to managing technical vulnerabilities — an approach that by definition cannot include ignoring published EOL dates.

Practical consequence: Many enterprise contracts include a requirement to maintain ISO 27001 certification as a condition of the agreement. A lapsed certificate can trigger breach of contract clauses.
PCI DSS — Payment Card Industry Data Security Standard
Requirement 6.3.3 — Security Patch Management

PCI DSS is mandated by Visa, Mastercard, American Express, and Discover for any organization that handles, processes, or transmits cardholder data. Unlike SOC 2 and ISO 27001, non-compliance is not just a commercial problem — it carries direct financial penalties.

Requirement 6.3.3 requires all system components to be protected against known vulnerabilities by installing applicable security patches within defined timeframes. EOL software that is no longer receiving patches has no applicable security patches to install. It is a permanent, unresolvable violation of Requirement 6.3.3 until the software is replaced or covered by a paid extended support agreement that provides continued patches.

Practical consequence: Fines of $5,000–$100,000 per month until compliant. Loss of ability to process card payments. Mandatory forensic investigation costs ($50,000–$200,000+) if a breach occurs while non-compliant. Liability for card reissuance costs across all affected cardholders.

Real-World Consequences — What Actually Happened

These are not hypotheticals. These are documented incidents with published post-mortems, regulatory filings, and financial disclosures.

Incident · 2017
Equifax — 147 Million Records Exposed

Root cause: Apache Struts CVE-2017-5638, a critical remote code execution vulnerability. The patch had been available for two months. It was never applied.

The breach ran undetected for 78 days. Names, Social Security numbers, birth dates, addresses, and driver's license numbers for 147 million Americans were exfiltrated. Total costs reached $1.38 billion. The FTC settlement alone was $575 million. The CEO, CIO, and CSO all resigned.

The vulnerability was known. The patch existed. The software was running unpatched in a public-facing system. EOL software takes this failure mode and makes it permanent — there is no patch to apply, ever.

Incident · 2023
MOVEit Transfer — 2,000+ Organizations Breached

Root cause: A zero-day SQL injection vulnerability in Progress Software's MOVEit Transfer product, exploited by the Cl0p ransomware group in a coordinated global campaign.

Over 2,000 organizations confirmed affected: Shell, British Airways, the BBC, the US Department of Energy, and multiple state government agencies among them. Tens of millions of individuals had sensitive data stolen. Organizations running older, unpatched versions had no remediation path. The campaign was one of the largest mass-exploitation events in history.

Incident · 2021
Log4Shell — CVSS 10.0, Exploited Within Hours

Root cause: CVE-2021-44228 in Apache Log4j, a ubiquitous Java logging library embedded in thousands of enterprise products. CVSS score: 10.0 — the maximum. Actively exploited within hours of public disclosure.

Organizations running EOL Java versions that could not apply the patch were fully exposed with no remediation path. Many organizations did not know they were running Log4j — it was embedded in vendor products, not directly installed. The response required emergency patching across entire industries simultaneously. Teams running EOL software had one option: exposure.

The pattern is the same every time Known software. Known vulnerability. No patch applied. EOL software removes "apply the patch" from your options permanently. Every incident above had a known fix available — for most of the affected systems. The ones that didn't were running unsupported software. They had nowhere to go.

Cyber Insurance — The Consequence Most Teams Don't See Coming

The cyber insurance market has changed dramatically since 2021. Underwriters now ask detailed questions about your technology stack as part of the application process. The questions have become specific:

Answering these questions incorrectly — or having a breach reveal EOL software that wasn't disclosed — ranges from increased premiums to voided coverage. Some policies now include explicit exclusions for breaches originating from software that was past vendor end-of-life at the time of the incident.

IBM's Cost of a Data Breach Report puts the average breach at $4.45 million USD. A $4.45 million breach with a $4 million policy is a survivable event. A $4.45 million breach with voided coverage because you were running PHP 7.4 is a different conversation entirely.

The EOL Risk Score is the number your underwriter is going to ask about. Know it before they do.

The Planning Framework — What to Do at Each Stage

The EOL Risk Score gives you a number. Here is how to act on it:

Check Your Stack Right Now

Every product and version on endoflife.ai has an EOL Risk Score. It is free. No signup required. No sales call.

If you find a Critical score in your stack today, you have options. Extended support vendors can provide continued patches while you plan a controlled migration. If you find it during an audit or after a breach, your options narrow considerably.

Attackers track EOL dates too. The moment a version hits end of life, it becomes a permanently open target. The CVEs will keep coming. The patches will not. The score is the number that makes that timeline visible before it becomes an incident.

Know your number.

Check your stack's EOL Risk Score™

Free, no signup. Every product and version tracked. Know your risk before your auditor — or your attacker — does.

Scan your stack Check a product Score methodology

The Monthly EOL Digest™

Once a month — critical end-of-life dates, CVE blind spots, and lifecycle changes worth knowing about.

✓ You're on the list.