Vulnerability reporting on systems on extended support


Please could someone confirm if insightVM continues to report vulnerabilities on systems that are still available with extended support, even if extended support hasn’t been purchased?

For example, Windows Server 2012 went out of support in 10th October 2023, but patches are still available to resolve vulnerabilities if you have extended support, up to 3 years. How should a Server 2012 system that was patched up to October 2023 that isn’t on extended support appear in insightVM? Will the number of vulnerabilities continue to increase based on the extended support patches and vulnerabilities?

We have a few such systems and I’m not really seeing any evidence either way (some devices show very few vulns whereas others show many more), and i’m not clear on how this is supported by Rapid7?


From what I see InsightVM reports vulnerabilities even after end of support. Vulnerability count will increase if you do not get patches with extended support. Issue I have is that it will report the system as vulnerable due to end of support and no way to specify you have extended support.