The countdown is on: Microsoft will end support for Windows 10 on October 14, 2025. After this date, Windows 10 PCs will no longer receive free security patches, non-security bug fixes, or technical support. For organizations that still rely on the OS, this creates a looming challenge. Unsupported systems become more vulnerable with every passing month, and the costs of delay can quickly mount.
Despite the urgency, a surprising number of businesses are still running Windows 10. As deadlines draw closer, this gap raises pressing questions: why aren’t more companies moving to Windows 11, what risks are emerging as attackers target Windows 10, and how should businesses prepare for life after EOL?
Many Businesses Still Haven’t Migrated
Industry data makes clear that migration has been uneven. A study by ControlUp of more than one million enterprise endpoints in mid-2025 revealed that half of enterprise devices were still running Windows 10. The picture looks even worse in very large organizations. Enterprises managing more than 10,000 devices reported migration rates of only around 42 percent, suggesting that size and scale remain significant barriers to progress.
The sector breakdown tells a similar story. Education and technology have been leaders in adoption, with approximately three-quarters of devices in those industries already on Windows 11. By contrast, healthcare organizations have only migrated about 41 percent of devices, and finance sits just under 45 percent. These slower-moving industries tend to rely on legacy systems and specialized software, which makes upgrades more complicated.
Even more concerning is that many of the devices still running Windows 10 are technically capable of running Windows 11. They already meet the hardware requirements but remain on the older platform.
This points to planning, prioritization, and resourcing gaps more than technical barriers.
Why Migration Is Delayed
The reasons businesses continue to delay migration are varied, but they fall into a few consistent themes. The first is hardware readiness. Windows 11 requires certain hardware features, including TPM 2.0 and modern processors, that many older PCs do not support. For large organizations or SMBs with constrained budgets, replacing fleets of machines is a costly undertaking.
Another key factor is compatibility. Businesses often rely on custom applications, proprietary tools, or specialized peripherals. Testing those against a new operating system takes time, and in some cases, vendors have not yet certified their products for Windows 11. For a hospital running diagnostic equipment or a manufacturer relying on industrial controllers, the risk of breaking critical workflows can outweigh the benefit of upgrading quickly.
Budget also plays a major role. Migration is not simply a matter of flipping a switch. It involves hardware refresh cycles, licensing costs, deployment planning, and staff training. For small and medium-sized businesses in particular, these costs may seem insurmountable when balanced against other operational priorities.
Finally, there is the question of awareness and perception. Many organizations underestimate the risks of running an unsupported operating system or assume Microsoft will extend deadlines further. Others prioritize immediate business needs over long-term IT health, leaving migration on the back burner until a crisis occurs.
Windows 10 Vulnerabilities are Already Being Exploited
If the risks of delaying migration feel abstract, the reality is that attackers are already targeting Windows 10. A striking example is CVE-2025-29824, a zero-day vulnerability in the Common Log File System (CLFS) driver. Microsoft confirmed that this flaw was actively exploited in the wild by a threat group dubbed Storm-2460. Attackers used it to escalate privileges on compromised machines, deploy backdoors, and ultimately launch ransomware campaigns. Victims included companies in IT, real estate, finance, retail, and software development across several countries.
This is not an isolated case.
CLFS vulnerabilities have a long history of being exploited by ransomware operators, and 2025’s iteration continues that trend. Other vulnerabilities, such as the WinRAR zero-day (CVE-2025-8088), have been used by the Russian-aligned RomCom group to deliver backdoors and establish persistence. Though not every exploitation chain ends in ransomware, these vulnerabilities demonstrate how attackers use Windows 10 as an entry point for broader campaigns.
When support ends in October 2025, these risks will accelerate. Each new flaw discovered in Windows 10 will remain unpatched unless an organization pays for Extended Security Updates (ESU). Unsupported devices will become permanent soft targets, and attackers are likely to increase their focus on industries or geographies where migration lags.
For businesses in highly regulated sectors like healthcare and finance, this raises not only security concerns but also compliance risks, as auditors and regulators increasingly view unsupported systems as unacceptable.
Special Extension Offers: ESU as a Bridge, Not a Solution
Microsoft has acknowledged that many users will not be able to migrate before the EOL deadline. To provide breathing room, the company is offering Extended Security Updates (ESU) for Windows 10. These updates will extend security patching until October 2026.
But ESU is a temporary band-aid. It does not provide feature updates, long-term support, or any guarantee that third-party vendors will continue certifying their products for Windows 10. Microsoft has been clear that the intent is to buy organizations time to migrate, not to encourage indefinite reliance on an aging platform.
Best Practices for Managing Legacy Systems
For organizations facing a mix of Windows 10 and Windows 11 environments, the best path forward is a proactive strategy that balances immediate needs with long-term modernization. Businesses should look to newer, more preemptive technologies to defend legacy systems.
Automated Moving Target Defense (AMTD) is the best approach.
Rather than waiting for patches, AMTD makes it significantly harder for attackers to exploit vulnerabilities by constantly changing the attack surface and preventing unknown code from executing through advanced deception techniques.
For organizations with legacy applications or hardware that cannot be quickly replaced, adopting patchless protection technologies like AMTD can be the difference between a resilient transition and a catastrophic breach.
Deception Technologies: A Safety Net for Vulnerable Systems
As businesses weigh the risks of staying on Windows 10 after its end-of-life date, one reality stands out: vulnerabilities will continue to be discovered, and unsupported systems won’t receive the patches needed to close those gaps. This is where advanced deception technologies can play a crucial role.
According to Gartner, deception platforms can create realistic decoy assets—servers, networks, data repositories, or user accounts—that lure attackers away from production systems. Once adversaries interact with these decoys, they are funneled into traps and across trip wires, triggering early alerts. Some deception solutions are adaptive, adjusting their appearance based on attacker behavior, which makes it much harder for adversaries to distinguish fake assets from real ones.
The impact is twofold. First, attackers waste valuable time and resources chasing false targets instead of exploiting unpatched systems. Second, defenders gain a high-fidelity view of attacker tactics, techniques, and procedures, which strengthens overall defenses and enriches vulnerability management programs. By capturing accurate, contextual threat intelligence, deception tools reduce false positives and enable more confident decision-making around remediation priorities.
Industries that operate critical systems—healthcare, energy, finance, and government—are at the forefront of adopting deception technologies. These sectors face the greatest risk if unsupported or legacy systems are compromised, since operational disruption could cascade into life-threatening or economically damaging consequences. For example, in healthcare, deception can shield vulnerable imaging equipment or patient record systems still reliant on older OS versions, keeping attackers occupied with decoys while patient care systems remain protected.
The broader market for deception is maturing, with solutions becoming more user-friendly and scalable. However, adoption remains limited by awareness and budget concerns, especially among smaller organizations. For those balancing the cost of migration against the risk of Windows 10 vulnerabilities, deception technologies provide a valuable stopgap—one that enhances resilience, buys defenders time, and integrates well with preemptive approaches like AMTD.
By integrating deception into their security strategy, organizations can better manage the risks tied to legacy operating systems. As Windows 10 fades into obsolescence, deception offers a way to outsmart attackers and protect what matters most in industries where downtime or data loss is simply not an option.
Act Before It’s Too Late
The end of Windows 10 support isn’t just a calendar milestone — it’s a looming security cliff.
Millions of devices are still running the aging OS, and attackers are already exploiting its vulnerabilities to launch ransomware campaigns. After October 2025, every unpatched system becomes an open door, and the risks will multiply with each passing month.
Relying on short-term fixes like ESU may buy time, but they don’t change the inevitable. The only sustainable path forward is to act now: accelerate migration where possible, harden your defenses, and deploy preemptive technologies like AMTD to protect the systems that can’t be upgraded in time.
Waiting until the deadline is a gamble that could cost millions in damages, downtime, and regulatory fallout.
The organizations that move today will be the ones prepared for tomorrow.
See how Morphisec’s pioneering AMTD technology can help — book a demo today.
Stay up-to-date
Get the latest resources, news, and threat research delivered to your inbox.
