tenable:108797 · Unsupported Windows OS (remote)

01 · The Real Story

This is a car with no airbags, not a car already in a crash

Plugin 108797 is a generic remote fingerprint for Microsoft Windows systems or service packs that are past vendor support. Tenable says it fires when the remote Windows release is missing a required service pack or is no longer supported. In practice that can include old families like Windows 7 (support ended 2020-01-14), Windows 8.1 (2023-01-10), Windows Server 2008 R2 SP1 (2020-01-14), Windows Server 2012 R2 (2023-10-10, with ESU caveats), and retired Windows 10 branches.

Tenable's Critical / 10.0 label is too blunt for real-world prioritization. An unsupported OS absolutely multiplies risk because it stops receiving normal fixes, but this finding is not itself an unauthenticated remote code execution path; the attacker still needs a reachable service and a real exploit for a specific unpatched Windows flaw. That makes this a HIGH estate-risk posture issue, not a clean CRITICAL exploit path on its own.

"This is dangerous technical debt, not a stand-alone CVSS 10 exploit"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Fingerprint the host

An attacker identifies legacy Windows with tooling like nmap OS detection, SMB banners, CrackMapExec, or simple service behavior checks. Plugin 108797 itself is based on remote OS fingerprinting, which tells you this stage is cheap for both defenders and attackers.

Conditions required:

Network reachability to the host
Enough service exposure to infer Windows family or patch era

Where this breaks in practice:

Modern enterprises often segment server VLANs and block unauthenticated SMB/RDP discovery
Remote fingerprinting can misclassify builds, especially around ESU-covered or backported environments

Detection/coverage: Commodity scanners catch this well at the posture level, but they do not prove exploitability or distinguish every ESU/support exception.

STEP 02

Match a working n-day to the exposed service

Once the attacker knows the host is on an unsupported branch, they pick a reachable weakness in SMB, RDP, RPC, Netlogon, HTTP.sys, print stack, or another Windows surface. Tooling is usually Metasploit, Impacket, or private tradecraft mapped to the exact service and build.

Conditions required:

A vulnerable network-facing service must be exposed
The host must actually lack the relevant fix for the chosen bug

Where this breaks in practice:

Unsupported OS does not guarantee a working exploit on every host
NGFWs, host firewalls, disabled legacy protocols, and service hardening collapse many theoretical paths

Detection/coverage: Vuln scanners only partially cover this unless the scan is credentialed and mapped to specific CVEs; remote unsupported-OS detection is only a starting signal.

STEP 03

Land code execution or privileged access

If the chosen Windows flaw lands, the attacker usually gets SYSTEM or a high-privilege foothold and immediately shifts into credential access with Mimikatz, Impacket-secretsdump, or LSASS dumping. On flat networks, one unsupported server can become an amplification point for the rest of the estate.

Conditions required:

A successful exploit or valid credential path
Weak post-exploitation controls on the endpoint

Where this breaks in practice:

EDR, Credential Guard, ASR rules, and LSASS protections frequently break follow-on actions
Application allow-listing and constrained admin reduce blast radius

Detection/coverage: EDR is much better at catching this stage than the initial unsupported-OS condition.

STEP 04

Pivot laterally from the legacy island

Attackers use the legacy host as a beachhead for SMB admin shares, WinRM, PsExec-style movement, or directory abuse against newer systems. Unsupported Windows matters here because it often coexists with old protocols, old app dependencies, and weaker hardening standards.

Conditions required:

Useful credentials or trust relationships
Lateral movement paths to other systems

Where this breaks in practice:

Tiering, PAWs, admin segmentation, and east-west filtering sharply limit spread
A single isolated legacy box may have ugly local risk but poor enterprise blast radius

Detection/coverage: Identity detections, admin-share monitoring, and EDR telemetry usually surface the pivot better than the original OS-age finding.

03 · Intelligence Metadata

The supporting signals.

Finding type	Posture / end-of-support condition, not a discrete CVE. Plugin `108797` is a legacy remote unsupported-OS detector.
Vendor rating	Tenable marks it Critical 10.0 with a manual unsupported-OS score, using `CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H` on the plugin page.
In-the-wild status	There is no KEV entry for plugin 108797 itself. The real issue is that unsupported Windows cannot reliably receive fixes for the steady stream of Windows KEV issues that do get exploited.
Proof-of-concept availability	Exploit availability is broad but indirect: old Windows families are heavily covered by public tooling such as `Metasploit` and `Impacket`, but there is no single PoC for 'unsupported Windows' as a condition.
EPSS	N/A — EPSS is CVE-specific, and this is not a CVE-backed finding.
KEV status	N/A for the finding. Relevant Windows flaws such as CVE-2017-0144 and CVE-2019-0708 are in the broader KEV ecosystem, which is why unsupported Windows remains dangerous.
Affected range	Any Windows release or required service pack past Microsoft support. Examples from official lifecycle pages: Windows 7 ended 2020-01-14, Windows 8.1 ended 2023-01-10, Windows Server 2008 R2 ended 2020-01-14, Windows Server 2012 R2 ended 2023-10-10.
Fixed state	There is no patch version. The only real fix is to move the host onto a currently supported Windows release or service pack. Windows Server 2012 R2 is a special case because Microsoft lists ESU Year 3 through 2026-10-13, so some environments may still be support-covered.
Detection nuance	Tenable's own 2024 conversion notes show many Windows unsupported-version checks moved to branch-specific SEoL plugins, while older remote unsupported detections remained. That is a clue that generic remote labeling can be noisier than version-aware local checks.
Disclosure / authorship	Plugin `108797` was published 2018-04-03 by Tenable and remains a Remote detector with required KB items `Host/OS` and `Host/OS/Confidence`.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to HIGH (7.6/10)

The decisive factor is that this finding does not grant compromise by itself; it only tells you the host is outside normal support and therefore more likely to be exploitable through some other weakness. I kept it at HIGH because unsupported Windows is common, high-blast-radius technical debt in enterprise networks, especially where legacy SMB/RDP exposure and old management patterns still exist.

HIGH Downgrading Tenable's blanket Critical to a posture-based HIGH

MEDIUM Exact support state on individual hosts where ESU, Azure entitlement, or odd edition lifecycle may apply

Why this verdict

Blanket vendor scoring got walked down: Tenable assigns a generic 10.0 unsupported-software score, not a host-specific exploit path.
Requires a second real weakness: attacker needs reachable SMB/RDP/RPC/other surface plus a valid unpatched flaw or credential path before impact happens.
Exposure population matters: internal-only legacy servers are already behind a prior-compromise or east-west movement requirement, which is a strong downward pressure from CRITICAL.
Blast radius keeps it elevated: once one unsupported Windows server is popped, old protocols, stale hardening, and admin sprawl can turn it into a lateral-movement hub.

Why not higher?

There is no single unauthenticated exploit here, no proof that a reachable service is vulnerable, and no KEV record for the finding itself. A CRITICAL label would only be fair once you pair this with actual external exposure plus a specific exploitable Windows flaw on the host.

Why not lower?

Unsupported Windows is not harmless backlog noise. It permanently drops the host out of normal security maintenance, and the historical Windows track record of exploited SMB/RDP/identity bugs means these boxes age into easier footholds over time.

05 · Compensating Control

What to do — in priority order.

Segment legacy Windows now — Place unsupported Windows hosts behind strict east-west ACLs and management jump paths, and remove broad user/workstation reachability. For a HIGH verdict, deploy this within 30 days to cut the easiest exploitation and pivot routes while the upgrade plan is executed.
Kill unnecessary SMB and RDP exposure — Disable or firewall SMBv1, unnecessary SMB listening, RDP from user networks, and WinRM where not explicitly required. Do this within 30 days because most practical attack chains against old Windows begin with an overly reachable management or file-sharing surface.
Harden the host with EDR and credential protections — Enforce EDR, tamper protection, ASR rules, LSASS protections, and local admin reduction so a single foothold does not immediately become credential theft. Roll this out within 30 days on every host that cannot yet be upgraded.
Validate ESU and support exceptions — For Windows Server 2012/2012 R2 or cloud-hosted edge cases, confirm whether the host is actually covered by ESU or another vendor-backed support arrangement. Complete this validation within 30 days so you do not waste migration effort on false unsupported classifications.

What doesn't work

MFA on user logons alone doesn't solve this; pre-auth network services like SMB/RDP bugs do not care about your SaaS MFA posture.
Monthly vulnerability scans alone don't reduce risk; they just keep rediscovering the same unsupported host until you segment, retire, or upgrade it.
Perimeter AV signatures are weak compensation; the dangerous part is exposed legacy protocol surface and missing vendor support, not a single malware hash.

06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host from an elevated or standard PowerShell session; local admin is helpful for complete hotfix visibility but usually not required. Save as check-unsupported-windows.ps1 and run powershell -ExecutionPolicy Bypass -File .\check-unsupported-windows.ps1; it prints exactly VULNERABLE, PATCHED, or UNKNOWN and exits 1, 0, or 2 respectively.

noisgate-verify.ps1

POWERSHELLREAD-ONLYSAFE

# check-unsupported-windows.ps1

# Outputs exactly one of: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'Stop'

function Finish([string]$status, [int]$code) {
    Write-Output $status
    exit $code
}

try {
    $cv = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
    $product = [string]$cv.ProductName
    $displayVersion = [string]$cv.DisplayVersion
    $releaseId = [string]$cv.ReleaseId
    $edition = [string]$cv.EditionID
    $build = [int]$cv.CurrentBuildNumber

    # Helper: latest hotfix date if available

    $latestHotfix = $null
    try {
        $hf = Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 1
        if ($hf -and $hf.InstalledOn) { $latestHotfix = [datetime]$hf.InstalledOn }
    } catch {}

    # Definitely unsupported client/server families

    $definitelyUnsupported = @(
        'Windows XP', 'Windows Vista', 'Windows 7', 'Windows 8', 'Windows 8.1',
        'Windows Server 2003', 'Windows Server 2008', 'Windows Server 2008 R2'
    )

    foreach ($name in $definitelyUnsupported) {
        if ($product -like "*$name*") {
            Finish 'VULNERABLE' 1
        }
    }

    # Windows Server 2012 / 2012 R2: lifecycle ended 2023-10-10, but ESU can apply.

    if ($product -match 'Windows Server 2012 R2|Windows Server 2012') {
        if ($latestHotfix -and $latestHotfix -ge (Get-Date).AddDays(-120)) {
            Finish 'UNKNOWN' 2
        } else {
            Finish 'VULNERABLE' 1
        }
    }

    # Windows 10 support is edition/release dependent. Treat LTSC/LTSB as UNKNOWN.

    if ($product -match 'Windows 10') {
        if ($product -match 'LTSC|LTSB|IoT') {
            Finish 'UNKNOWN' 2
        }

        $win10FinalSupport = Get-Date '2025-10-14'
        $ver = if ($displayVersion) { $displayVersion } else { $releaseId }

        if ($ver -eq '22H2') {
            if ((Get-Date) -le $win10FinalSupport) {
                Finish 'PATCHED' 0
            } else {
                Finish 'VULNERABLE' 1
            }
        } elseif ($ver) {
            Finish 'VULNERABLE' 1
        } else {
            Finish 'UNKNOWN' 2
        }
    }

    # Windows 11 generally supported, but unusual editions may need manual review.

    if ($product -match 'Windows 11') {
        Finish 'PATCHED' 0
    }

    # Supported server families commonly seen in enterprise.

    if ($product -match 'Windows Server 2016|Windows Server 2019|Windows Server 2022|Windows Server 2025') {
        Finish 'PATCHED' 0
    }

    Finish 'UNKNOWN' 2
}
catch {
    Finish 'UNKNOWN' 2
}

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, treat every 108797 hit as legacy Windows exposure that needs triage, not as a literal CVSS-10 incident. First, validate whether the host is truly unsupported or an ESU/support-exception case; then use the noisgate mitigation SLA for a HIGH finding to segment the host and remove unnecessary SMB/RDP/WinRM exposure within 30 days. After that, use the noisgate remediation SLA to upgrade, replace, or decommission the operating system within 180 days; anything internet-facing or admin-tier should be handled at the front of that queue, not at the back.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.