Attack Surface Management

Outdated Web Technologies

7 min read·Updated 2026-04-26
TL;DR

Outdated web technologies are old versions of CMSes, frameworks, libraries and server software still running in production. They tend to come with known CVEs, often with public exploits, and are the most reliable starting point for opportunistic attackers. The technical fix is to upgrade. The reason it does not happen is almost always organisational, not technical.

What it is

Outdated web technology is shorthand for any externally exposed component that is no longer current with vendor security updates. The category covers a lot of ground:

  • CMS platforms. WordPress, Drupal, Joomla, Magento, Sitecore, Adobe Experience Manager, and many others. Each has a release lifecycle and an end-of-life date.
  • Web frameworks. Old Django, Rails, Laravel, Spring, Express, Struts, ASP.NET Web Forms, and similar.
  • JavaScript libraries. jQuery, Angular, React, Vue, plus the long tail of npm packages bundled into front-end builds.
  • Server software. Apache HTTPD, Nginx, IIS, Tomcat, JBoss, WebLogic.
  • Application runtimes. PHP, Node.js, Python, Ruby, Java versions.
  • Operating systems. Particularly anything running CentOS 6/7, Windows Server 2008/2012, Ubuntu LTS releases past their support dates.
  • Edge components. Old WAF firmware, load balancer software, VPN gateways.

A site running WordPress 5.4 with a jQuery 1.x bundle on a server with PHP 7.2 and Apache 2.4.49 is a not-uncommon finding on a real audit. Each piece of that stack has known issues. The combination is a target.

Why it matters

The case for keeping things current is not abstract. Outdated web tech drives a substantial fraction of all real-world breaches.

  • Known exploits at attacker fingertips. Once a CVE is published with a working exploit (or once an exploit ends up in Metasploit, exploit-db, or a leaked private kit), every vulnerable host on the internet is a candidate. The attacker is not researching anything. They are running a script.
  • Mass exploitation campaigns. Equifax in 2017 was an unpatched Apache Struts deployment (CVE-2017-5638). Magento and Magecart skimming campaigns exploited unpatched CMS vulnerabilities for years. The 2021 Microsoft Exchange ProxyLogon and ProxyShell waves hit tens of thousands of organisations within days. PAN-OS, Ivanti and Citrix have all had multiple mass-exploitation cycles in recent years.
  • CISA KEV and ransomware crew interest. CISA's Known Exploited Vulnerabilities catalogue lists CVEs being actively used in attacks. Many of them target old versions of common web tech. Ransomware affiliates explicitly hunt for these.
  • Compliance failures. PCI DSS, HIPAA, ISO 27001, and most regulated frameworks require timely patching. Auditors flag end-of-life components.
  • Insurance and contract obligations. Cyber insurance underwriters increasingly check for outdated tech and either deny coverage or raise premiums when it is found.

The persistent question is why old tech sticks around. The honest answer is rarely technical. Upgrades break things. Compatibility with custom code, plugins, and integrations gets in the way. Nobody owns the upgrade path. The original developers left. The business hates downtime windows. Regulatory sign-off processes slow down change. So the old version stays.

How attackers exploit it

The attacker pattern against outdated web tech is the cheapest, most repeatable workflow in modern offensive operations:

  1. Pick a vulnerability with a public exploit. Either a recently disclosed CVE or an old reliable one. CISA KEV is a useful target list.
  2. Use passive reconnaissance to find vulnerable hosts. Shodan, Censys, FOFA queries return thousands of candidate IPs in seconds. Banner data and HTML fingerprints reveal the version.
  3. Fire the exploit. For mass campaigns, automate it. Run the exploit against every candidate. Collect shells where it lands.
  4. Monetise. Ransomware deployment, web shell installation, credential theft, cryptominer placement, supply chain access.

The economics favour the attacker overwhelmingly. A single exploit, once weaponised, runs against the entire internet for the cost of compute time. Defenders have to patch every instance. Attackers only need one to slip through.

For more targeted attacks, the workflow is similar but slower. The attacker fingerprints the target's stack, looks for known issues, and either uses a publicly available exploit or develops a private one. The starting point is still passive observation of outdated software.

How to detect it

Detection of outdated web tech follows the same playbook as broader vulnerability assessment:

  • HTTP fingerprinting at scale. Pull HTTP responses for every web property. Parse server headers, generator meta tags, asset paths, and inline scripts. Tools like Wappalyzer, BuiltWith, and similar fingerprinting libraries identify thousands of technologies.
  • JavaScript asset analysis. Front-end builds typically include version strings in bundled libraries. Static analysis of loaded scripts reveals jQuery, Angular, React, and many other library versions.
  • TLS and cipher suite analysis. Older server software supports older protocol versions. A server still negotiating TLS 1.0 is usually running outdated software too.
  • Banner-based service identification. The non-HTTP services running alongside the web stack (SSH, FTP, mail) reveal the underlying OS and runtime ages.
  • Cross-reference with vulnerability databases. Each identified technology version maps to CVE records. Filter for CVEs that are exploitable, recent, or in the KEV catalogue.
  • Check end-of-life dates. Some products have CVE-free recent histories but are still EOL. PHP 7.4, CentOS 7, Windows Server 2012 R2 are examples. EOL means no future security updates regardless of current vulnerability count.
  • Correlate with KEV and EPSS. A technology with no current critical CVEs but a history of frequent issues (and an EPSS score trending up) deserves prioritisation even before the next CVE drops.

Continuous detection is the right cadence. New CVEs land daily. A version that was fine yesterday may be on the KEV list tomorrow.

How to remediate

The remediation menu, in rough order of preference:

  1. Upgrade to a current supported version. Always the right answer when feasible. Includes minor and patch upgrades.
  2. Replace with a maintained alternative. When the original technology is dead (Adobe Flash, AngularJS, Internet Explorer-era stacks), upgrade is not possible. Replacement is.
  3. Remove the dependency. Sometimes the outdated component is no longer needed. The static site does not actually need the old jQuery. The campaign page can be retired.
  4. Move behind a WAF or virtual patch. Compensating control rather than fix. Buys time but does not eliminate risk. Useful when an upgrade is genuinely not feasible in the short term.
  5. Segment and restrict access. If the outdated component must remain reachable but does not need to be on the public internet, restrict to VPN or specific source IPs.
  6. Air-gap or decommission entirely. For end-of-life technology that cannot be upgraded and is no longer business-critical, removing it is cleaner than maintaining controls around it.

Pragmatic notes that come up in real remediation work:

  • Plugin and theme dependencies are often the bottleneck for CMS upgrades. Plan for plugin replacements as part of the upgrade scope.
  • Build pipelines often pin library versions. Updating production requires updating the build, the staging environment, and any automation that depends on it.
  • Shared hosting platforms sometimes lag behind on PHP, Node and similar runtimes. Migrating to a current platform is sometimes faster than waiting for the host to upgrade.
  • Compliance windows are not security windows. PCI's 30-day patching window is a maximum, not a target. Critical KEV findings on internet-exposed systems should be measured in hours and days, not weeks.

Best practices

  • Maintain a current inventory of every web technology in use across external properties. Without an inventory, prioritisation is guessing.
  • Subscribe to vendor advisories for everything in your stack. WordPress, Drupal, your framework of choice, your runtime, your server. The first signal of a new CVE comes from the vendor.
  • Define and enforce SLAs based on exposure and exploitability. Internet-facing system on KEV: hours to patch. Internal system, low exposure, no public exploit: weeks.
  • Track end-of-life dates as a separate dimension from CVEs. A product on its last security update is on a countdown clock even with no current vulnerabilities.
  • Build replacement pathways for end-of-life technology in advance. Do not wait until the EOL date to start planning the migration.
  • Keep development environments on the same versions as production. A patch process that works in dev and breaks in production is missing test coverage.
  • Treat plugins and third-party modules as part of the patching surface. WordPress core may be current, but a vulnerable plugin is just as exploitable.
  • Limit the surface where it is reasonable to do so. A WordPress site does not need XML-RPC enabled. A static marketing site does not need server-side scripting at all. Reducing the attack surface reduces the patching burden too.

ScruteX detects outdated web technologies across your external properties and maps them to known CVEs and end-of-life risks.

Learn more

Further reading

Passive Vulnerability Assessment

How passive vulnerability assessment infers exposures from banners, certificates and other observable data without sending intrusive payloads, and where it fits alongside active testing.

External IP Discovery and Open Ports

How external IP and port discovery works, what attackers learn from a basic scan, and how to keep a continuous inventory of your internet-facing assets.