Legacy VPN End-of-Life in 2026: The Enterprise Remote-Access Watchlist

Every major SSL VPN and edge gateway is now EOL or actively exploited. See the 2026 watchlist and how to migrate to Zero Trust before NIS2 bites.
IT security manager reviewing server infrastructure on a tablet during a legacy VPN to ZTNA migration

If you still run an SSL VPN or edge gateway for remote access in 2026, it has quietly become your most exploited attack surface. Every major vendor on this page — Fortinet, Cisco, Ivanti, Citrix, Palo Alto, SonicWall, Check Point, Microsoft, Barracuda, WatchGuard — has either retired a product line, stripped out SSL VPN, or shipped an actively exploited pre-authentication flaw in the past two years. Swapping one appliance for a newer appliance repeats the mistake. The durable fix is Zero Trust Network Access (ZTNA), which removes the public listener attackers depend on.

Key takeaways

  • Legacy VPNs were the entry point in 73% of verified ransomware intrusions in 2025, up from 38% in 2023 (Coalition Cyber Claims Report).
  • Ten major remote-access product lines are end-of-life, deprecated, or under active exploitation as of 2026. The table below is your triage list.
  • The weakness is architectural, not a run of bad patches: an internet-facing listener plus implicit network trust.
  • A like-for-like refresh (ASA to Firepower, SMA 100 to SMA 1000) carries the same flaws forward.
  • Under Belgium’s Loi NIS2, knowingly running an EOL or exploited gateway can put personal fines and management bans on your board.

The 2026 remote-access gateway watchlist

Here is the triage list. If your product shows an EOL date already in the past or a CVE in the “actively exploited” column, treat it as a live incident risk rather than a roadmap item.

Vendor & product Lifecycle status Peak exploited CVE (CVSS / CISA KEV) Recommended move
Fortinet FortiGate SSL VPN 7.4.x engineering support ends 11 May 2026; SSL VPN tunnel mode removed in 7.6.3+ CVE-2024-21762 (9.8 / KEV Feb 2024) IPsec (interim) or ZTNA/SASE
Cisco ASA 5500-X / AnyConnect 5506/08/16-X support ends 31 Aug 2026 CVE-2025-20333 (9.8) + CVE-2025-20362 (KEV Sep 2025) Cisco Secure Client/FTD or ZTNA/SASE
Ivanti Connect Secure (ex-Pulse) Legacy PSA appliances EOL 23 Dec 2025 CVE-2025-0282 / -0283 (critical RCE, exploited) Ivanti ISA / Neurons or ZTNA
Citrix NetScaler Gateway 13.1 EOL 15 Sep 2026 (13.0 EOL Jul 2024) CVE-2025-5777 “CitrixBleed 2” (KEV Jul 2025) 14.1 or ZTNA/SASE
Palo Alto GlobalProtect App 6.0/6.1 EOL 31 Dec 2025 CVE-2026-0257 (7.8 / KEV May 2026); CVE-2024-3400 (10.0) App 6.3 / Prisma or ZTNA
SonicWall SMA 100 Hard EOL 31 Oct 2025; security features deactivated Active Akira ransomware exploitation SMA 1000 / CSE or ZTNA
Check Point Remote Access VPN R81.10 EOL Mar 2026 CVE-2026-50751 (9.3 / active zero-day) R82+ / Harmony or ZTNA
Microsoft DirectAccess Deprecated Jun 2024; final in Windows Server 2025 CVE-2026-33824 (9.8, IKEEXT RCE) Always On VPN / Entra Private Access or ZTNA
Barracuda SSL VPN / CloudGen BVS EOL 2020; CloudGen Firewall 9.0 EoS Mar 2027 CVE-2023-2868 (KEV May 2023) CloudGen Access (ZTNA)
WatchGuard Firebox T/M T35 EOL 31 Dec 2025 CVE-2025-14733 (9.3 / active Dec 2025) Newer Firebox or ZTNA

Fortinet FortiGate SSL VPN

FortiOS 7.4.x engineering support ends 11 May 2026, with full end of support on 11 November 2027. The dates matter less than the deletion: Fortinet has removed SSL VPN tunnel mode entirely from FortiOS 7.6.3 and later, and the upgrade wipes existing SSL VPN configurations from both the GUI and CLI. An unplanned firmware update therefore locks out every remote user at once. CVE-2024-21762 (CVSS 9.8) has sat on CISA’s KEV list since February 2024. Our SSL VPN deprecation timeline walks through the migration specifics.

Cisco ASA 5500-X / AnyConnect

Support for the last holdouts — the 5506-X, 5508-X and 5516-X — ends 31 August 2026; the 5525/45/55-X models already passed end of support in September 2025. The 2025 pair CVE-2025-20333 (RCE, CVSS 9.8) and CVE-2025-20362 (KEV, September 2025) is being chained in the wild. Because this hardware predates Secure Boot and Trust Anchor, attackers can plant ROMMON-level implants that survive reboots and re-imaging, so a compromised ASA is not fully cleaned by a firmware refresh. For these boxes, moving remote access to cloud-delivered SASE avoids buying another appliance that carries the same exposure.

Ivanti Connect Secure (ex-Pulse Secure)

Legacy PSA appliances reached hard end-of-life on 23 December 2025; classic 9.1x software lost support a year earlier. CVE-2025-0282 and CVE-2025-0283 have been exploited in the wild, and post-exploitation malware such as RESURGE is written specifically to survive vendor hotfixes. Patching a box that is already carrying an in-memory implant does not put you back to safe, which is why the durable fix is to retire the appliance rather than upgrade it.

Citrix NetScaler Gateway

NetScaler 13.1 reaches end-of-life on 15 September 2026; 13.0 already died in July 2024. CitrixBleed 2 (CVE-2025-5777) landed on CISA KEV on 10 July 2025 and lets attackers replay leaked session tokens to hijack sessions and skip MFA. There is also a trap for upgraders: the jump to 13.1 drops classic policy expressions, which can lock out users whose access relies on them, and the License Activation Service transition is mandatory by 15 April 2026. Patching closes the leak but does not evict an attacker who already replayed a stolen session, so an exposed gateway should move to ZTNA rather than stay on the appliance.

Palo Alto GlobalProtect

GlobalProtect app 6.0 and 6.1 reached end-of-life on 31 December 2025. CVE-2024-3400 (CVSS 10.0) set the pattern in 2024; CVE-2026-0257 extends it by letting unauthenticated attackers forge authentication-override cookies and stand up full VPN sessions without triggering MFA.

SonicWall SMA 100

The SMA 100 series (210, 410, 500v) reached hard end-of-life on 31 October 2025, and SonicWall has switched off the cloud-delivered controls — WAF, Capture ATP, endpoint control — that made these boxes defensible. Ransomware crews, Akira in particular, are already inside them; At-Bay tracked a 300% jump in SonicWall-related insurance claims between Q2 and Q3 2025 as the SMA flaws were weaponised.

Also on the list

Check Point Remote Access VPN on R81.10 reached end-of-life in March 2026 and is being hit through deprecated IKEv1 certificate logic (CVE-2026-50751), with Qilin affiliates bypassing authentication outright. Microsoft DirectAccess was formally deprecated in June 2024, with Windows Server 2025 as its final host. Barracuda’s original SSL VPN has been obsolete since 2020, and its CloudGen Firewall 9.0 LTS reaches end-of-support in March 2027. WatchGuard’s Firebox T35 reached end-of-life on 31 December 2025 amid active exploitation of CVE-2025-14733, which gives unauthenticated attackers a shell through malformed IKEv2 packets.

Why do these appliances keep getting breached?

This is not ten unrelated vendor mistakes. It is one architecture failing in the same three ways. You can read the deeper numbers in our legacy VPN risk report, but the mechanics are worth spelling out.

An internet-facing listener you cannot hide

Every SSL VPN needs a public IP and an open port — usually TCP 443 — that answers the whole internet. Scanners such as GreyNoise catalogue new gateways within minutes of deployment, and attackers go straight for the parsing and cryptographic code before any credential is checked. That is exactly why pre-authentication RCE keeps recurring on this list. ZTNA inverts the model: lightweight connectors make outbound-only connections to a broker, so the private network exposes no inbound port at all. Someone scanning your public range finds nothing to probe.

Implicit trust once a user is “inside”

A legacy VPN drops the remote device onto the corporate network with a local IP and Layer 3/4 reach across the subnet. One stolen credential set becomes lateral movement across everything behind the gateway. ZTNA never places the user on the network. The broker maps a verified identity and a healthy device to one authorised application, so a compromised account reaches that single app and cannot scan or pivot.

Patch windows measured in weeks, attackers in seconds

Patching an appliance means a maintenance window and a reboot. The Verizon 2025 DBIR puts the median time to fully remediate an exposed edge device at 32 days. Over that same window, Mandiant’s M-Trends 2026 clocks the median hand-off from initial-access broker to ransomware operator at 22 seconds, because the follow-on tooling is pre-staged the moment the box is popped. Legacy firmware also runs without EDR, so in-memory implants like BRICKSTORM operate unseen. The scale is hard to argue with now: Coalition attributes 87% of ransomware claims to remote-access services and 73% specifically to legacy VPN compromise.

What to do instead: migrating to ZTNA

Three things change on the first day of a ZTNA rollout, and none of them are cosmetic:

  • Policy moves from port-and-IP firewall matrices to identity rules — “Accounting can reach the ERP host on 443,” nothing more.
  • The heavy VPN client with its virtual adapters gives way to a light agent, or an agentless browser portal for most users.
  • Verification becomes continuous. Device posture and context are re-checked mid-session, and access is revoked automatically if compliance slips, rather than trusted from login onward.

Two pitfalls catch lean mid-market teams. The first is buying an enterprise megavendor platform — Zscaler, Palo Alto, Cisco — and drowning in mandatory agents, weeks of training, and opaque licensing designed for multinationals. The second is forgetting that some applications still lean on Active Directory joins or SMB file shares, which a cloud-only cutover can break; a real migration supports hybrid authentication instead of forcing a forklift replatform.

European organisations face a third factor. US-headquartered SASE providers fall under the CLOUD Act and FISA, which can compel access to data regardless of where it physically sits. For a Belgian or EU firm handling GDPR-regulated or public-sector data, that exposure is a compliance conflict baked into the vendor choice. This is where Jimber fits the shortlist: a Belgium-based, EU-sovereign SASE and ZTNA platform that keeps traffic and access data inside European jurisdiction, delivered through an agentless browser portal built for mid-market teams rather than for global enterprises. Treat it as one option among several and compare on sovereignty and operational simplicity, not only feature counts. If you want the vendor-by-vendor detail, the VPN alternative use case and our network isolation approach go further.

What NIS2 does to the calculus in Belgium

Migrating off an EOL gateway has stopped being a best practice and become a legal exposure. Belgium transposed the NIS2 Directive through the Loi NIS2 of 26 April 2024, in force since 18 October 2024, with the Centre for Cybersecurity Belgium (CCB) as the single supervisor. It reaches 18 sectors and generally catches organisations with 50 or more employees or turnover above 10 million euro.

Three points matter for anyone still running the products above:

  • The board is personally on the hook. Directors must approve and oversee cyber-risk measures. Where gross negligence is proven — and knowingly running an unpatched, EOL or actively exploited appliance qualifies — regulators can impose personal administrative fines and temporary bans from management functions.
  • The fines are structural. Essential entities face at least 10 million euro or 2% of global annual revenue; important entities at least 7 million euro or 1.4%.
  • The clock is tight. A significant incident triggers an early warning within 24 hours, a full notification within 72 hours, and a final report within one month, all filed through the Safeonweb@Work portal.

Belgium’s CyberFundamentals (CyFun) framework gives you a presumption of conformity with those obligations. Its Basic tier of 34 controls is estimated to block up to 82% of the attacks CERT.be has catalogued, and essential entities had to show at least CyFun Basic or Important verification by 18 April 2026. One detail catches smaller firms off guard: NIS2 pushes accountability down the supply chain, so even out-of-scope suppliers to hospitals, banks and utilities are being asked to prove CyFun or ISO 27001 to keep their contracts.

Frequently asked questions

What happens if you upgrade a FortiGate to FortiOS 7.6.3 without migrating SSL VPN first?

The active SSL VPN configuration is deleted during the upgrade. Fortinet does not translate or preserve it in the GUI or CLI, so remote users are locked out the moment the firmware lands and stay out until you build an alternative access path. Plan the migration before you touch the firmware.

Is moving from SSL VPN to IPsec on the same firewall a real fix?

No. IPsec still needs a publicly exposed inbound listener (UDP 500/4500) that scanners can see, and it still grants Layer 3/4 network access, so lateral movement remains possible after a single credential compromise. It buys time, not security.

What are the deadlines for Microsoft’s DirectAccess deprecation?

Microsoft formally deprecated DirectAccess in June 2024 and named Windows Server 2025 as the final release to include it. It keeps working through that OS’s lifecycle but will be absent from future Windows Server releases. Plan a move to Always On VPN or, better, a ZTNA architecture before you lose it.

Our SonicWall SMA 100 is end-of-life. Can we keep basic VPN tunnels running?

It is a bad bet. Basic tunnels may keep working on perpetual licences, but SonicWall has deactivated the WAF, Capture ATP, cloud management and endpoint control, and Akira ransomware is actively targeting these devices. Keeping them online also puts you in breach of NIS2 security obligations.

What is the difference between CyFun Basic, Important and Essential, and the Belgian deadlines?

Basic covers 34 controls for smaller in-scope and important entities; Important covers 132 for critical-sector important entities; Essential covers 217 for essential entities and critical infrastructure. Essential entities had to submit proof of at least CyFun Basic or Important verification by 18 April 2026, with full audited Essential certification due by April 2027.

Can board directors be personally liable under the Belgian Loi NIS2?

Yes. Executive directors and board members can face personal administrative fines where gross negligence is proven, such as maintaining deprecated, unpatched or EOL remote-access gateways, and the CCB can temporarily ban them from exercising management functions.

What incident-reporting windows must Belgian organisations support under NIS2?

An early warning within 24 hours of detecting a significant incident, a detailed notification within 72 hours, interim updates on the CCB’s request, and a final post-mortem report within one month, all through the Safeonweb@Work portal.

We have had bad experiences with heavy ZTNA clients. Is ZTNA always that complex?

No. The complexity usually comes from enterprise-targeted platforms that mandate heavy client agents and specialised training. Mid-market-focused, EU-sovereign options such as Jimber run through an agentless browser portal, which removes the agent-management overhead entirely.

Move off the watchlist before an attacker moves you

If your gateway is on this list, assume it is already being scanned. Map your remote-access dependencies, pick one application group, and pilot a ZTNA cutover this quarter instead of budgeting another appliance for next year. Book a Jimber demo to see an agentless, EU-sovereign migration path, or compare it against your current renewal.

Find out how we can protect your business

In our demo call we’ll show you how our technology works and how it can help you secure your data from cyber threats.

Cybersecurity
Are you an integrator or distributor?

Need an affordable cybersecurity solution for your customers?

We’d love to help you get your customers on board.

checkmark

White glove onboarding

checkmark

Team trainings

checkmark

Dedicated customer service rep

checkmark

Invoices for each client

checkmark

Security and Privacy guaranteed