Six Hundred And Seventy Fixes, One Recurring Invoice
On July 14, 2026, Microsoft shipped KB5099539, an extended security update for Windows 10 bundling the July Patch Tuesday release. BleepingComputer reported the cumulative update addresses 570 vulnerabilities across the Windows 10 codebase — a high count that likely reflects the cumulative nature of ESU rollups since mainstream support ended in October 2025. What separates KB5099539 from a routine Patch Tuesday release is who actually receives it: only devices enrolled in Microsoft's Extended Security Updates (ESU) program get the fixes at all.
The Price Of Staying Patched
Extended support for an end-of-life operating system was never free, and Windows 10 follows the structure Microsoft used for Windows 7: a per-device fee that doubles annually for enterprise customers. Enrollment costs $61 per device in year one, $122 in year two, and $244 in year three — a cumulative $427 per machine across the maximum three-year window, before counting the internal labor of tracking which endpoints are enrolled and which aren't. For an organization running several thousand endpoints past end-of-life, that arithmetic turns a deferred upgrade into a recurring, escalating line item.
A Familiar Shape At The Web Layer
WebPulse doesn't track operating systems, but the mechanics behind KB5099539 describe a pattern it does track in production web software: a platform reaches the end of its supported life, vulnerabilities keep arriving anyway, and someone has to decide whether to pay to keep receiving fixes, migrate off the platform, or run it unpatched. Windows 10 at least has a published price attached to that third option — a defined ESU tier running through 2028. Most open-source CMS and framework ecosystems lack a standardized, vendor-published ESU-style program — commercial extended-support tiers exist from vendors like Acquia and WordPress VIP, but they are the exception rather than the default. For the majority of legacy web software, when community maintenance ends, patches simply stop.
The KEV catalog lists operating systems, browsers, and web application software side by side, and WebPulse's own detection sample sits downstream of the same dynamic: production software that keeps running years past its maintenance window, absorbing risk with no comparable per-device sticker price attached to it.
What This Means For Budget Owners
KB5099539 is a useful reference point for anyone approving security budgets: it puts an exact number on what running old infrastructure costs per machine, per year, with a published expiration date attached. Web infrastructure running past its own maintenance window carries a comparable risk — it is just rarely priced as transparently as a $61-to-$244 licensing tier. Reviewing which production systems, operating or web-facing, are running past vendor support is as much a budgeting exercise as a technical one.


