IRONSMITHINTEL
CRITICAL
|Auth: n/a|Reboot: required|Est. Migration project: days to weeks depending on workloads|Manual only

End-of-Support Windows Server Versions Receive No Security Patches After EOL Date

Windows Server 2012 and 2012 R2 reached end of extended support in October 2023 — every CVE discovered after that date is permanently unpatched unless Extended Security Updates are purchased.

Published May 7, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

Every vulnerability disclosed after October 2023 is permanently unpatched on Windows Server 2012/2012 R2 without ESU. Attackers can exploit publicly known vulnerabilities with published PoC or weaponised exploit code against these servers with no possibility of a standard patch remediation.

How the attack works

Microsoft Windows Server 2012 and 2012 R2 reached end of extended support on October 10, 2023. After this date, Microsoft no longer releases security patches for these operating systems. Any new vulnerability discovered affects these servers permanently unless Microsoft provides an out-of-band patch for a critical issue (rare) or the organisation purchases Extended Security Updates (ESU). Attackers actively target known-unpatched EOL systems.

Am I affected?Quick check

Probably yes if any of these apply:

All servers running Windows Server 2012 or 2012 R2
Running Windows Server 2012, Windows Server 2012 R2 (EOL October 2023)

Affected OS versions

Windows Server 2012Windows Server 2012 R2
Fixed inWindows Server 2022 or Windows Server 2019
Real-world incidentsWhat we've seen

Ransomware groups maintain lists of known-vulnerable EOL OS versions and specifically target organisations still running them. After EOL, the backlog of unpatched vulnerabilities grows every month — a server running Windows Server 2012 R2 today is missing over 18 months of security patches.

How to patch

Manual remediation steps

Migration project: days to weeks depending on workloads

Identify End-of-Support Servers

# Run on each server to check OS version
[System.Environment]::OSVersion.Version
(Get-WmiObject -Class Win32_OperatingSystem).Caption

# Or check remotely via Active Directory
Get-ADComputer -Filter * -Properties OperatingSystem |
    Where-Object { $_.OperatingSystem -like '*2012*' } |
    Select-Object Name, OperatingSystem | Sort-Object OperatingSystem

Options

Option 1 — In-Place Upgrade to Windows Server 2022

1
Install Windows Server 2022 evaluation edition over the existing installation
2
Activate with new license key

Option 2 — New Deployment and Workload Migration

1
Deploy new Windows Server 2022 hardware or VM
2
Migrate workloads (applications, IIS sites, SQL Server, etc.)
3
Decommission old server

Option 3 — Extended Security Updates (Temporary)

1
Purchase ESU through volume licensing or Azure
2
Register servers for ESU
3
Note: ESU only covers Critical and Important vulnerabilities — does not fully replace upgrading

Upgrade Planning Resources

    1
    Microsoft Upgrade Center: microsoft.com/en-us/windows-server/upgrade-and-migration
    1
    Windows Server 2022 evaluation: microsoft.com/en-us/evalcenter/evaluate-windows-server-2022
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

MSRC Advisory