The Window Between Vulnerability and Exploit Is Closing. Legacy Enterprise Software Is in the Crosshairs.

Security has always relied on a gap. Not a gap in defences - a gap in time.

When a vulnerability is discovered, there's a period between when it's found and when it's weaponised. Researchers find the bug, report it, vendors build a patch, customers deploy it. The whole model of software security depends on defenders winning that race. The window is the margin that makes it possible.

That window is shrinking. And for organisations running legacy or non-compliant enterprise software, it may not exist at all.

What the Mythos research actually demonstrated

In April 2026, Anthropic published research on Claude Mythos Preview that should concern anyone responsible for enterprise software security. Their researchers asked the model to find remote code execution vulnerabilities in software they pointed it at. They went to sleep. They woke up to working exploits.

No formal security training required on the part of the people doing the asking. No red team. No specialist tooling beyond the model itself. Just a system running autonomously overnight, working through code the way an experienced security researcher would - except faster, and without fatigue.

The model found vulnerabilities across major operating systems, browsers, and closed-source enterprise software. Thousands of severe security flaws. The findings were significant enough that Anthropic has since been asked to brief the Financial Stability Board - the body that coordinates global financial stability policy across G20 finance ministries and central banks. The IMF has warned that this class of AI capability could turn cyber vulnerabilities into a "macro-financial shock."

What Steve Gibson called it

Steve Gibson has spent more than twenty years doing forensic technical analysis of security research on the Security Now podcast. He read the full Mythos technical disclosure and said there was nothing else he wanted to talk about that week.

His framing is worth understanding. Security has always relied partly on friction - how hard it is to find the bug, how long it takes to build an exploit, how much specialist knowledge is required. These aren't features. They're accidents of how difficult security research is. They've bought defenders time.

Mythos removes the friction. What used to require months of specialist work now takes hours of compute. The attacker's cost of finding and exploiting a vulnerability has dropped dramatically. The defender's window has narrowed accordingly.

And then Gibson asked the question that sits at the heart of this for anyone running enterprise software: what about all that code that's no longer maintained but is still in use?

The specific problem for legacy software

This matters for all enterprise software users. But it matters most for organisations running legacy or unsupported product versions.

When a vendor maintains active support for a product version, a newly discovered vulnerability triggers a patch. The window is narrow - increasingly narrow - but it exists. You can update, deploy, and close the exposure before it's widely weaponised.

When a product version falls outside active support, that process stops. A vulnerability discovered in an end-of-life version today stays there permanently. There is no patch window. There is no race. There is only exposure that compounds over time as more vulnerabilities are found and published - now, increasingly, by AI models running overnight without human intervention.

The OpenText angle

For OpenText customers, there's an additional dimension. Access to security patches is conditional on active licence compliance. Customers who are non-compliant - even partially - may find that patch access is restricted at renewal, without being explicitly told this has happened.

This creates a situation where you're running a current, supported product version - patches exist - but your compliance status has quietly locked you out of them. The practical outcome is the same as running an end-of-life version: permanent exposure to every vulnerability found, by researchers, automated tools, or an AI model running while you slept.

The only available defensive move

You cannot patch an end-of-life product. But you can understand your compliance and support position before a vulnerability is found in your specific deployment.

A licence and support review tells you whether you're eligible for patches on your current version. It tells you whether any of your installed products are approaching or past end-of-life. It tells you what your exposure looks like - financially and from a security posture standpoint - and what it takes to change it.

The threat landscape changed this year. Whether you have visibility of your licence and support position should change with it.