What are the risks of using old server hardware?

I bought a used Supermicro server (2011) to host my own web services. I installed Debian 10 Buster and setup the LAMP server. Ports 80 and 443 are only accessible from the internet behind NAT.

The server motherboard model is X9SCM-F. On the Supermicro website it is marked as EOL. Intel 82579LM and 82574L ethernet controllers are marked as "Expected Discontinuance".

What are the risks of using end-of-life server hardware? If my operating system is not compromised, is it possible to exploit a hardware security vulnerability from the internet ?

Thanks.

Yes, hardware that old can be a security risk. As a specific example, speculative execution side channel CPU attacks, which cannot be fully fixed in software.

Supermicro X9SCM-F can socket Xeon E3-1200 v2 series. Per Intel security guidance, that family is discontinued. In theory, a BIOS update would get some fixes up until Intel stopped releasing microcode for this CPU, but the Supermicro BIOS updates I found appeared to be too old to have any fixes.

Hardware level security flaws of this category are not easy to exploit, requires untrusted code that exercises the CPU in a very specific way. Unlikely to be targeted at most organization's risk levels, but concerning in that it bypasses many isolation techniques.

As to not needing the OS to exploit a hardware vulnerability over the internet, out of band management is risky. Do not put IPMI or similar on the internet, especially when there will be no more security updates for that server model.

In a different category of risk, you are not likely to get help with this hardware. Hardware and software support might not help you, and parts may not be available.

Ports 80 and 443 are only accessible from the internet behind NAT.

NAT does not provide security. Firewalls do. An equilviant packet filter in an IPv6 only network with zero NAT would be similarly secure.