Over Half a Million Outdated Microsoft IIS Servers Expose Global Cybersecurity Risk
Security researchers at The Shadowserver Foundation have identified a critical security threat affecting over 511,000 internet-facing Microsoft Internet Information Services (IIS) servers running end-of-life (EOL) versions. Of these, 227,000 have surpassed Microsoft’s Extended Security Updates (ESU) program, leaving them completely unsupported and vulnerable to exploitation.
The findings, revealed on March 23, 2026, highlight a widespread failure to update or decommission outdated systems. These servers, now in an End-of-Support (EOS) state, no longer receive security patches even for paid updates making them prime targets for cyberattacks. Threat actors frequently scan for such systems to exploit known vulnerabilities, deploy ransomware, or gain initial access to corporate networks.
The majority of affected servers are concentrated in China and the United States, though the issue spans globally. To aid remediation, Shadowserver has updated its Vulnerable HTTP reporting system, tagging outdated servers as "eol-iis" (end-of-life) or "eos-iis" (end-of-support) to help organizations identify and prioritize high-risk assets.
IIS servers often serve as front-facing web infrastructure, meaning a successful compromise could provide attackers with a direct pathway into internal systems. Government agencies, including CISA, have repeatedly warned against using unsupported software on internet-facing systems, as they are frequently exploited by initial access brokers who sell compromised access to other malicious actors.
Shadowserver has made its scan data available to network operators and national CERTs, while its live dashboards offer real-time visibility into the distribution of vulnerable systems. Organizations are urged to identify, upgrade, or isolate outdated IIS instances to mitigate risks. The discovery underscores the ongoing challenge of legacy system management and the urgent need for improved asset visibility to reduce the global attack surface.
Source: https://cyberpress.org/over-511000-end-of-life-microsoft-iis-servers-exposed-online/
Microsoft Security cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security
"id": "MIC1774275848",
"linkid": "microsoft-security",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': 'Global (majority in China and the United '
'States)',
'type': 'Government agencies, private organizations'}],
'attack_vector': 'Exploitation of unsupported software',
'date_detected': '2026-03-23',
'date_publicly_disclosed': '2026-03-23',
'description': 'Security researchers at The Shadowserver Foundation have '
'identified a critical security threat affecting over 511,000 '
'internet-facing Microsoft Internet Information Services (IIS) '
'servers running end-of-life (EOL) versions. Of these, 227,000 '
'have surpassed Microsoft’s Extended Security Updates (ESU) '
'program, leaving them completely unsupported and vulnerable '
'to exploitation.',
'impact': {'operational_impact': 'Potential compromise of internal systems '
'via front-facing web infrastructure',
'systems_affected': 'Over 511,000 internet-facing Microsoft IIS '
'servers'},
'initial_access_broker': {'entry_point': 'Exploitation of unsupported IIS '
'servers'},
'investigation_status': 'Ongoing (scan data available to network operators '
'and national CERTs)',
'lessons_learned': 'Ongoing challenge of legacy system management and the '
'urgent need for improved asset visibility to reduce the '
'global attack surface.',
'post_incident_analysis': {'corrective_actions': 'Upgrade or decommission '
'outdated IIS servers; '
'enhance monitoring and '
'asset management',
'root_causes': 'Failure to update or decommission '
'outdated systems; lack of asset '
'visibility'},
'recommendations': 'Identify, upgrade, or isolate outdated IIS instances; '
'improve asset visibility and management of legacy '
'systems.',
'references': [{'source': 'The Shadowserver Foundation'},
{'source': 'CISA warnings'}],
'response': {'communication_strategy': 'Shadowserver updated Vulnerable HTTP '
'reporting system to tag outdated '
"servers as 'eol-iis' or 'eos-iis'",
'containment_measures': 'Organizations urged to identify, '
'upgrade, or isolate outdated IIS '
'instances',
'enhanced_monitoring': 'Shadowserver live dashboards for '
'real-time visibility',
'remediation_measures': 'Upgrade or decommission outdated IIS '
'servers',
'third_party_assistance': 'The Shadowserver Foundation (scan '
'data and dashboards)'},
'stakeholder_advisories': 'Organizations urged to remediate vulnerable '
'systems; Shadowserver provides real-time '
'dashboards for visibility.',
'title': 'Over Half a Million Outdated Microsoft IIS Servers Expose Global '
'Cybersecurity Risk',
'type': 'Vulnerability Exposure',
'vulnerability_exploited': 'End-of-life (EOL) and end-of-support (EOS) '
'Microsoft IIS servers'}