Legacy OS's are not secure.
And That Includes Windows 10...
Every time new Windows 10 CVEs hit the wire, I can practically hear that old chorus from back in September and October:
“Relax. Windows 10 is still totally fine.”
Or even better
"Just install Windows 7, it still works!"
CVE-2025-62215: A "race condition" flaw in the Windows Kernel allows a local, low-privilege attacker to escalate to SYSTEM privileges (CVSS 7.0). If you’re on Windows 10, that means the OS kernel you rely on is attackable from the inside. Now, this one requires some skills and setup to execute, but if done correctly, the bad guys can hijack Windows built-in Super-Admin, SYSTEM.
CVE-2025-60724: A heap-based buffer overflow in Microsoft’s Graphics Component (GDI+) lets a remote attacker execute arbitrary code via specially crafted metafiles; think convincing image/document uploads that bypass user interaction. CVSS 9.8. This one is just plain dangerous.
CVE-2025-62199: A use-after-free vulnerability in Microsoft Office enables code execution when a user opens or previews a malicious file (even via the Preview Pane). CVSS 7.8, and yes, Windows 10 is in scope. Almost as dangerous as the previous CVE, only limited by its requirement of MS Outlook. The fact that it just needs to load in the Preview Pane is particularly concerning.
Three more reminders that Windows 10 is no longer being engineered for long-term safety. It’s being kept on life support out of politeness, and only through paid Extended Security Updates if you explicitly opt in.
Let’s be clear: Microsoft isn’t planning this forever. The company has shifted its security engineering, kernel hardening, mitigations, and vulnerability-research pipelines to Windows 11 and beyond. That is where the investment is. Windows 10 is receiving what can best be described as maintenance-grade patching, just enough to keep the lights on, not enough to keep pace with modern threat actors.
This matters because attackers do not care about your comfort zone. They are not waiting for your upgrade cycle or your “I’ll deal with it next quarter” mood. They innovate continuously, and the older the OS, the more predictable its defensive posture becomes. That’s why CVEs on legacy platforms pile up like overdue library books.
Some people insist that not upgrading to Windows 11 is a principled stand against UI changes, telemetry concerns, or hardware requirements. That’s fine. Preferences are allowed, and I am the last person to interfere with anyone's convictions. But let’s stop pretending preference and security posture are the same thing. They are not. And by necessity, the latter does indeed restrict the former (and vice versa!).
Running an operating system with declining patch velocity and an expanding vulnerability surface is not “tech skepticism.” It is a risk profile. One where you inherit all the risk, while attackers inherit all the opportunity.
This does not mean everyone needs to love Windows 11. If you want to take the Linux plunge, switch to macOS, or hand-crank a Babbage Engine in your living room, please, be my guest. However, relying on Windows 10 in 2025 is increasingly equivalent to ignoring the smoke alarm because the beeping is annoying.
I was a huge fan of Windows 98SE and Windows 2000 NT, but I do not pretend they are viable daily drivers in 2025.
If you want to stay informed with more straight-talk from someone who’s been in IT long enough to have installed, used, and managed all of these systems, you know where to find me.
Detailed information on the exploits discussed in this article can be found below
https://nvd.nist.gov/vuln/detail/CVE-2025-62215
https://nvd.nist.gov/vuln/detail/CVE-2025-60724
https://nvd.nist.gov/vuln/detail/CVE-2025-62199