Vulnerabilities - Over 511,000 End-of-Life IIS Instances Exposed

The Flaw

On March 23, 2026, researchers from Shadowserver identified a staggering 511,000 End-of-Life (EOL) Microsoft Internet Information Services (IIS) instances connected to the internet. These servers are no longer receiving security patches, making them vulnerable to exploitation. The situation is dire; over 227,000 of these servers have surpassed the Microsoft Extended Security Updates (ESU) period, meaning they will never receive critical security fixes. This lack of support creates a massive attack surface for cybercriminals.

The exposure is particularly concerning as attackers routinely scan the internet for unpatched systems. They exploit known vulnerabilities, deploy malware, or gain initial access to corporate networks through these outdated servers. The Cybersecurity and Infrastructure Security Agency (CISA) has consistently warned about the risks associated with using end-of-support devices, which often serve as a foothold for ransomware operators and Advanced Persistent Threat (APT) groups.

What's at Risk

The geographical distribution of these vulnerable servers is alarming. The highest concentrations are found in China and the United States. This widespread exposure not only affects individual organizations but also poses a risk to the broader internet infrastructure. When software reaches the end of its lifecycle, the vendor stops monitoring it for security flaws. If a new zero-day vulnerability is discovered in an outdated version of IIS, Microsoft will not release a patch to fix it.

As a result, organizations operating EOL and EOS web servers significantly increase their susceptibility to cyberattacks. Attackers can easily pivot from compromised outward-facing IIS servers into internal networks, stealing sensitive data or deploying malicious payloads across the infrastructure. The implications for businesses are severe, as these breaches can lead to data loss, reputational damage, and financial consequences.

Patch Status

To combat these vulnerabilities, Shadowserver has begun tagging these exposed servers as ‘eol-iis’ and ‘eos-iis’ in their daily Vulnerable HTTP reports. This initiative helps security teams track and manage these risks effectively. Network administrators can access raw IP data filtered by their specific networks to identify exposed assets. However, the responsibility to secure these systems ultimately falls on the organizations themselves.

Organizations must prioritize identifying and securing their internet-facing infrastructure. Operating EOL and EOS web servers can lead to severe breaches, and immediate action is crucial. The CISA has reiterated the importance of addressing these vulnerabilities to prevent exploitation.

Immediate Actions

Here are some crucial steps organizations should take:

• Audit external network assets to locate any servers running legacy versions of Microsoft IIS.
• Review Shadowserver’s Vulnerable HTTP reports to identify exposed IPs associated with your organization.
• Upgrade EOL servers to modern, supported versions of Windows Server and IIS.
• Enroll systems in Microsoft’s Extended Security Update program if immediate migration isn’t feasible.
• Isolate legacy systems behind robust web application firewalls and restrict access to essential IP addresses.

By taking these steps, organizations can significantly reduce their attack surface and protect themselves from potential cyber threats.