Skip to content
Business Efficiency

Windows 10's July Patch Fixed 570 Flaws. Only Paying Devices Got It.

KB5099539 puts an exact, escalating price on staying patched past end-of-life — a reference point for every budget that funds aging infrastructure

· 4 min read
Share on X LinkedIn
Windows 10's July Patch Fixed 570 Flaws. Only Paying Devices Got It.

Six Hundred And Seventy Fixes, One Recurring Invoice

On July 14, 2026, Microsoft shipped KB5099539, an extended security update for Windows 10 bundling the July Patch Tuesday release. BleepingComputer reported the cumulative update addresses 570 vulnerabilities across the Windows 10 codebase — a high count that likely reflects the cumulative nature of ESU rollups since mainstream support ended in October 2025. What separates KB5099539 from a routine Patch Tuesday release is who actually receives it: only devices enrolled in Microsoft's Extended Security Updates (ESU) program get the fixes at all.

570
Vulnerabilities addressed in KB5099539
Source: BleepingComputer, Microsoft Security Response Center (July 14, 2026)

The Price Of Staying Patched

Extended support for an end-of-life operating system was never free, and Windows 10 follows the structure Microsoft used for Windows 7: a per-device fee that doubles annually for enterprise customers. Enrollment costs $61 per device in year one, $122 in year two, and $244 in year three — a cumulative $427 per machine across the maximum three-year window, before counting the internal labor of tracking which endpoints are enrolled and which aren't. For an organization running several thousand endpoints past end-of-life, that arithmetic turns a deferred upgrade into a recurring, escalating line item.

$61 to $244 per device
Windows 10 ESU cost, enterprise tier (Year 1 to Year 3)
Source: Microsoft Volume Licensing Program, Extended Security Updates pricing (2025)

A Familiar Shape At The Web Layer

WebPulse doesn't track operating systems, but the mechanics behind KB5099539 describe a pattern it does track in production web software: a platform reaches the end of its supported life, vulnerabilities keep arriving anyway, and someone has to decide whether to pay to keep receiving fixes, migrate off the platform, or run it unpatched. Windows 10 at least has a published price attached to that third option — a defined ESU tier running through 2028. Most open-source CMS and framework ecosystems lack a standardized, vendor-published ESU-style program — commercial extended-support tiers exist from vendors like Acquia and WordPress VIP, but they are the exception rather than the default. For the majority of legacy web software, when community maintenance ends, patches simply stop.

1,637
Active entries, CISA Known Exploited Vulnerabilities catalog
Source: CISA KEV catalog (July 10, 2026)

The KEV catalog lists operating systems, browsers, and web application software side by side, and WebPulse's own detection sample sits downstream of the same dynamic: production software that keeps running years past its maintenance window, absorbing risk with no comparable per-device sticker price attached to it.

466K+ across 30 frameworks
Sites in WebPulse's detection sample
Source: WebPulse framework detection scan (July 2026)

What This Means For Budget Owners

KB5099539 is a useful reference point for anyone approving security budgets: it puts an exact number on what running old infrastructure costs per machine, per year, with a published expiration date attached. Web infrastructure running past its own maintenance window carries a comparable risk — it is just rarely priced as transparently as a $61-to-$244 licensing tier. Reviewing which production systems, operating or web-facing, are running past vendor support is as much a budgeting exercise as a technical one.

Share this insight