Updated: June 18, 2026
The breach at a Bengaluru lender did not start with a clever attacker. It started with a switch that had stopped receiving updates in 2024 and a network team that had not noticed. The intruder did not break the firewall. He walked in through a core switch three versions behind on software, carrying a published vulnerability nobody had patched, because the vendor no longer issued patches for it. By the time the security team saw the traffic, customer records had been moving out of the building for nine days.
The post-mortem found the switch had passed its last date of support eighteen months earlier. It was, in the language of the auditors who arrived next, an unmaintained asset processing personal data. In the language of the board, it was the reason the company was now explaining itself to a regulator.
If you run security, you spend your budget on the things attackers are supposed to use: endpoints, identity, the firewall, the SOC. The switch in the riser cupboard rarely makes the list. It should. End-of-life network hardware is the quietest large risk on your estate, and as of late 2025, it is also a named legal liability.
End-of-life is a chain of vendor milestones, and only one of them governs your risk. End-of-sale means the product is no longer for sale. The date that matters is the last date of support: after it, Cisco issues no software updates, no fixes and no security patches for that model, whatever vulnerability is later found (Cisco end-of-life policy).
The consequence is permanent, not temporary. After the last date of support, a new flaw in that switch is never fixed. The device keeps running, carries traffic perfectly, and accumulates every vulnerability discovered after its clock stopped. Uptime tells you nothing about exposure. A switch can be both completely reliable and completely indefensible, and most CISOs measure the first while attackers exploit the second.
No, and network hardware is a worse place to carry this risk than a server. A critical flaw on a server gets patched within the week. The same flaw on an unsupported switch can sit for years, for three reasons.
Network hardware is invisible to the tools you trust. Endpoint detection does not run on a switch. Vulnerability scanners often see it as a single line, if at all. It sits below the layer most security tooling watches. It is also the worst thing to lose: a switch or router moves everyone's traffic, so an attacker who owns the fabric can redirect, copy and intercept data without touching a protected endpoint. And it is forgotten by design, because working hardware does not announce that its support has ended. Do you know, today, the last date of support for every switch and router carrying your customers' data?
Yes, by implication, and that is the change every Indian CISO needs to register. India's Digital Personal Data Protection Rules were notified in November 2025, giving organisations until 13 May 2027 to comply. The Act requires every data fiduciary to maintain "reasonable security safeguards" and sets the penalty for failing to do so at up to ₹250 crore (DPDP Rules 2025, MeitY/EY analysis).
No ruling has yet tested whether a switch past its last date of support counts as a reasonable safeguard. You do not want to be the case that settles it. An asset that cannot receive a security patch, processing personal data, is close to the definition of unreasonable. When a breach runs through that asset, the regulator asks one question your network diagram answers for you: did you know it was unsupported, and did you act?
The milestones look bureaucratic until you read the right-hand column. This is what your security posture actually does as a product ages:
| Milestone | What it means | Your security status |
|---|---|---|
| End-of-Sale (EoS) | Product can no longer be purchased | Fully supported; patches continue |
| End of Software Maintenance | Routine bug-fix releases stop | Security fixes only; plan the refresh now |
| End of Vulnerability/Security Support | Cisco stops issuing security fixes | New CVEs go unpatched; high risk |
| Last Date of Support (LDoS) | No updates, TAC, RMA or patches at all | Unmaintained asset; audit and DPDP exposure |
The lesson of the table is that your exposure begins before the final date. By the time you hit the last date of support, you have usually been without security fixes for some while already. Refresh planning should start at the end of the sale, not at the cliff edge.
Auditors flag it first, because it is the easiest finding to prove: a serial number and a date, no judgement required. It lands in your report as a known, unremediated risk, the phrase that turns a breach from misfortune into negligence. Your cyber-insurer reads the same evidence. Policies increasingly ask whether you run supported hardware, and a claim arising from a known end-of-life device is the kind insurers decline.
So one unsupported switch quietly raises three bills at once: the breach you might suffer, the audit finding you will certainly receive, and the premium rise or refused claim that follows. None of them appears in the budget line you saved by leaving it in the rack.
You already know the hardware needs replacing. The problem has been funding it against shinier projects. Reframe it. A network refresh is not a hardware upgrade; it is the removal of a named, dated, board-level liability before a deadline that now exists in law.
Start with one inventory: every switch and router, its last date of support, and whether it touches personal data. Sort by the worst combination, expired support and sensitive traffic, and you have your priority list and your business case on a single page. A board does not fund "newer switches". It funds "closing the audit findings and the DPDP gap before May 2027". Same money, very different sentence. Which version of that sentence would you rather present after an incident?
Most CISOs do not have a current, accurate map of what is unsupported on their network. That map is where this conversation starts.
Proactive Data Systems is a 35-year-old system integrator with more than 1,500 customers and a Cisco Preferred Partner status in Networking, Security, Collaboration, Cloud and AI, and Services. We run a lifecycle and security assessment of your switching and routing estate: what has passed the last date of support, what is approaching it, what is exposed, and what touches regulated data, mapped to a phased refresh you can defend to a board and an auditor. Because we hold both the networking and the security practice, the fix closes the gap rather than moving it, with CCIE-led design and a 24x7 NOC in India behind it.
Not sure what is quietly unsupported on your network? Ask Proactive for a lifecycle and risk assessment. Better you find the switch nobody patched than an attacker does.
Disclaimer: This article is general information, not legal or compliance advice. Data-protection obligations depend on your organisation's facts and processing. Confirm current DPDP requirements and timelines against the official notification, and verify product lifecycle dates against Cisco's published milestones before acting.
We'll get back to you shortly.
