“`html
A considerable attack vulnerability concerning outdated Microsoft Internet Information Services (IIS) servers. On March 23, 2026, during Shadowserver’s daily network evaluations, researchers discovered more than 511,000 End-of-Life (EOL) IIS instances actively linked to the internet.
This extensive exposure poses a significant security threat to organizations globally, since these outdated servers no longer receive regular security updates.
Malicious actors often browse the internet for unpatched systems to exploit known weaknesses, implement malware, or gain initial access into corporate networks.
511,000+ IIS End-of-Life Instances
The unprocessed data provided by Shadowserver illustrates a troubling scenario of global internet infrastructure hygiene. Among the 511,000 exposed EOL instances, more than 227,000 have entirely surpassed the Microsoft Extended Security Updates (ESU) timeframe.
This indicates that nearly half of these servers are End-of-Support (EOS) and will never obtain critical security fixes, even if organizations invest in extended protection.
Regionally, the exposure is predominantly concentrated in two major global areas. China and the United States currently host the greatest number of these outdated IIS instances.
To aid security teams in monitoring these exposures, Shadowserver now officially labels vulnerable servers as ‘eol-iis’ and ‘eos-iis’ in its daily Vulnerable HTTP reports.
Network managers can discover this raw IP data, tailored to their specific network constituency, to pinpoint exposed assets within their environments.
Operating EOL and EOS web servers considerably elevates an organization’s vulnerability to cyberattacks. When software reaches the conclusion of its lifecycle, the vendor officially ceases to monitor it for security flaws.
If a new zero-day vulnerability is uncovered in an outdated version of IIS, Microsoft will not publish a public patch to rectify it. Threat agents recognize this dynamic and proactively develop automated tools to detect and exploit these specific legacy systems.
The Cybersecurity and Infrastructure Security Agency (CISA) consistently cautions about the dire risks linked with end-of-support edge devices.
Exposed web servers often provide the ideal entry point for ransomware operators and Advanced Persistent Threat (APT) groups.
Once an attacker compromises an outward-facing IIS server, they can move laterally within the internal network, extract sensitive information, or deploy harmful payloads throughout the broader infrastructure.
Mitigations
Organizations must prioritize the identification and protection of their internet-facing infrastructure to avert immediate exploitation.
Security teams should adhere to these vital steps to effectively minimize their attack surface:
- Examine external network assets to find any servers operating legacy versions of Microsoft IIS.
- Consult Shadowserver’s Vulnerable HTTP reports to pinpoint exposed IPs affiliated with your organization.
- Update EOL servers to current, supported iterations of Windows Server and IIS.
- Register systems in Microsoft’s Extended Security Update initiative if immediate migration is technically unfeasible.
- Isolate legacy systems behind robust web application firewalls and limit access to only necessary IP addresses.
“`