There is little, if any, research that follows CVEs from zero-day status until “end of life,” which can mislead cybersecurity practitioners to believe old exploits to be harmless. New research following the lifecycle of a CVE, using recent examples from the underground, will prove that putting off patching can leave organizations susceptible to exploitation for years to come.