EOSL for Enterprise Hardware: Cisco, HPE, Dell EMC Timelines

When your storage arrays and network gear hit end-of-service-life, the security clock starts. A vendor-by-vendor breakdown of critical dates.

Software end-of-life gets most of the attention in security conversations. Hardware end-of-service-life is quieter — but the consequences are just as serious, and the lead times for remediation are significantly longer. You can upgrade a runtime in weeks. Replacing core network infrastructure takes quarters.

EOSL — end of service life — is the point at which a hardware vendor stops providing software updates, security patches, and technical support for a product. The hardware doesn't stop working. The firmware does stop getting patched. And firmware vulnerabilities in network gear and storage arrays are among the most dangerous in any environment — they sit below the OS, often outside the reach of standard vulnerability scanners, and provide attackers with persistent, privileged access.

Understanding the Hardware Lifecycle

Enterprise hardware vendors typically structure support into distinct phases. Knowing which phase your equipment is in determines what coverage you actually have.

End of Sale (EoS): The vendor stops selling the product. New purchases are unavailable. Existing units continue to receive full support. This is the first lifecycle warning — hardware approaching EoS should be flagged for eventual replacement planning.

End of Software Maintenance (EoSM): Security patches and software updates stop. This is the critical threshold — firmware vulnerabilities disclosed after this date will not be patched. Hardware past EoSM is functionally equivalent to EOL software: known vulnerabilities accumulate indefinitely.

End of Service Life (EOSL): All support ends. No patches, no TAC support, no hardware replacement under contract. At this point the vendor relationship is over entirely.

The scanner blind spot is worse for hardware. Most vulnerability scanners are optimized for OS and application-layer CVEs. Firmware vulnerabilities in network gear frequently go undetected by standard scanning — they require specialized tools and often vendor-specific security advisories to surface.

Cisco

Cisco publishes detailed lifecycle dates through its Product Lifecycle Support page. Their end-of-life policy provides a minimum of one year between EoS announcement and EoS date, with software maintenance typically continuing for three to five years post-EoS.

Cisco Catalyst Switching

Platform	End of Sale	End of SW Maintenance	EOSL
Catalyst 2960-X	Jan 2023	Jan 2025	Jan 2028
Catalyst 3650	Oct 2020	Oct 2022	Oct 2025
Catalyst 3850	Oct 2020	Oct 2022	Oct 2025
Catalyst 9200	Active	Active	TBD
Catalyst 9300	Active	Active	TBD

Cisco ASA Firewall

Platform	End of Sale	End of SW Maintenance	EOSL
ASA 5505	Aug 2017	Aug 2019	Aug 2022
ASA 5510/5520/5540	Aug 2017	Aug 2019	Aug 2022
ASA 5508-X / 5516-X	Aug 2022	Aug 2024	Aug 2027
Firepower 1000/2100	Active	Active	TBD

Action required: Catalyst 3650/3850 and ASA 5500-series devices past End of Software Maintenance are accumulating unpatched firmware CVEs. These are common platforms in mid-market enterprise environments and frequently missed in EOL audits because the hardware is still functioning normally.

HPE

HPE's lifecycle policy varies by product line. ProLiant servers receive a minimum of five years of support from general availability. Networking products (Aruba) follow separate lifecycle schedules.

HPE ProLiant Servers

Platform	Gen	End of Support	Status
ProLiant DL360	Gen 9	Jan 2024	End of Support
ProLiant DL380	Gen 9	Jan 2024	End of Support
ProLiant DL360	Gen 10	Feb 2028	Active
ProLiant DL380	Gen 10	Feb 2028	Active
ProLiant DL360	Gen 11	2030+	Active — Current

HPE Gen 9 servers reached end of support in early 2024. iLO (Integrated Lights-Out) firmware on Gen 9 platforms is no longer patched — iLO vulnerabilities have historically been severe, including remote code execution without authentication. Any Gen 9 server with internet-accessible iLO is an unacceptable risk.

Dell EMC / Dell Technologies

Dell's PowerEdge server line and PowerStore/PowerVault storage platforms follow a lifecycle with ProSupport coverage typically available for five to seven years post-release.

Dell PowerEdge Servers

Platform	End of Service Life	Status
PowerEdge 13G (R630/R730)	Oct 2023	EOSL
PowerEdge 14G (R640/R740)	Jan 2027	Active — plan replacement
PowerEdge 15G (R650/R750)	2029+	Active
PowerEdge 16G (R660/R760)	2031+	Active — Current

Dell EMC Storage

Platform	End of Service Life	Status
VNX/VNX2 Series	Dec 2023	EOSL
Unity 300/400/500	Dec 2026	EOL in 7 months
PowerStore 500/1000/3000	2030+	Active

Action required: VNX/VNX2 storage arrays at EOSL are a significant risk in environments that haven't migrated. These platforms manage storage for multiple systems — a firmware compromise can affect every workload they serve. Dell 14G servers approaching 2027 EOSL should be in replacement planning now given typical procurement and migration timelines.

Third-Party Maintenance: The Trade-offs

A common response to hardware EOSL is third-party maintenance (TPM) contracts — companies like Curvature, Park Place Technologies, and Centrilogic that provide hardware support after the vendor stops. TPM can significantly reduce hardware support costs and extend the functional life of equipment.

What TPM cannot provide is firmware security patches. Third-party maintainers keep hardware running. They cannot patch iLO vulnerabilities, switch firmware flaws, or storage controller CVEs — only the OEM can do that, and after EOSL, the OEM won't. TPM is a valid operational strategy. It is not a security strategy.

The right framing: TPM buys time for planned replacement. It does not reduce firmware CVE exposure. Organizations using TPM on EOSL hardware should treat those systems with the same compensating controls applied to EOL software: network segmentation, restricted management access, enhanced monitoring, and a documented replacement timeline.

Building Your Hardware EOL Inventory

Most organizations have better visibility into their software stack than their hardware lifecycle status. Physical assets age quietly — the switch in the wiring closet doesn't send a pop-up notification when it crosses into End of Software Maintenance.

The starting point is a complete hardware inventory with firmware versions and purchase dates. Cross-reference against vendor lifecycle databases — Cisco's Product Lifecycle Support, HPE's End of Life portal, and Dell's Product Lifecycle page are all publicly accessible. Flag everything past End of Software Maintenance for immediate review and everything within 18 months of End of Software Maintenance for replacement planning.

Pay particular attention to out-of-band management interfaces: Cisco's IOS-XE management plane, HPE iLO, Dell iDRAC, and equivalent platforms on other vendors. These interfaces are high-value targets — they provide remote access to hardware below the OS level — and their firmware vulnerabilities are frequently severe. Management interfaces on EOSL hardware with no patch path should be isolated from all external network access without exception.

Hardware EOSL is a longer cycle than software EOL, which makes it easier to deprioritize. A procurement decision made in 2019 creates a security problem in 2024 — the gap between cause and consequence is long enough that the connection gets lost. The organizations that manage hardware lifecycle proactively, with planned replacement cycles tied to vendor EOSL dates, avoid the crisis of discovering that critical infrastructure is running on unpatched firmware with no remediation path. Start the inventory. The replacement timelines are long enough that early discovery is the only kind that helps.