Microsoft patched this in December 2018. Unpatched 4.0.30319 systems remain at risk.
: Various vulnerabilities exist where the framework fails to properly validate input, potentially allowing an attacker to take full control of the affected system. microsoft net framework 4.0 v 30319 vulnerabilities
Unpatched .NET Remoting endpoints (TCP or HTTP channels) allow an unauthenticated attacker to send a crafted serialized object that, when deserialized by the framework, executes arbitrary code with the permissions of the hosting process (often SYSTEM for IIS-hosted apps). Microsoft patched this in December 2018
Its retirement means known, weaponized vulnerabilities (RCE, EoP, crypto attacks) remain unpatched. Organizations must prioritize migrating any application still locked to this runtime to .NET Framework 4.8 (which is fully backward compatible for 99% of 4.0 code) or .NET 6/8 (Core). when deserialized by the framework