Over 511,000 Outdated Microsoft IIS Servers Exposed Online

Summary

On March 23, 2026, Shadowserver’s daily network scans revealed over 511,000 End-of-Life (EOL) Microsoft Internet Information Services (IIS) instances actively exposed on the internet.

The exposed servers:
• Include more than 227,000 servers beyond the Microsoft Extended Security Updates (ESU) period.
• Are geographically concentrated, with the highest numbers in China and the United States.
• Present critical risks since EOL servers no longer receive security patches.

Operating these outdated web servers leaves organizations vulnerable to attacks, including malware deployment, ransomware, and unauthorized lateral movement into internal networks.

Research Source

Shadowserver Foundation published daily Vulnerable HTTP reports tagging vulnerable IIS servers as ‘eol-iis’ and ‘eos-iis’.

The Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly warned that end-of-support edge devices and servers are prime targets for threat actors, including Advanced Persistent Threat (APT) groups and opportunistic ransomware operators.

Technical Details

The affected servers run unsupported versions of Microsoft IIS, meaning:
• No critical security updates are provided.
• Zero-day vulnerabilities may be exploited without remediation.
• Threat actors can pivot from exposed servers to internal networks.

Attackers frequently scan the internet for these unpatched servers to gain initial access, deploy malware, or establish persistent footholds.

Key exposure points:
• Legacy IIS instances still serving web content.
• Servers beyond the ESU period, even with paid extended coverage.
• Outdated configurations allowing easy exploitation.

Observed Attack Activity

While no widespread exploitation has been confirmed, the potential attack vectors include:

Initial Access
• Scanning for exposed IIS instances.
• Exploiting known vulnerabilities or misconfigurations.

Post-Compromise
• Lateral movement into internal networks.
• Deployment of malware or ransomware.
• Data exfiltration from web-facing servers.

Threat Actors
• Opportunistic cybercriminals scanning for outdated servers.
• Ransomware groups using EOL servers as entry points.
• Nation-state APTs seeking persistent access via exposed infrastructure.

Impact

Organizations running EOL IIS servers may face:
• Unauthorized access to internal networks.
• Data theft or corruption.
• Ransomware infection spreading across infrastructure.
• Compliance and regulatory violations.

Because these servers are publicly reachable and unsupported, the risk is high for both operational disruption and potential financial loss.

Mitigation

Security teams should take immediate action:

Audit external network assets for legacy IIS instances.
Review Shadowserver’s Vulnerable HTTP reports to identify exposed IPs.
Upgrade servers to supported Windows Server and IIS versions.
Enroll in Microsoft Extended Security Updates if immediate migration is not possible.
Isolate legacy systems behind web application firewalls and limit access to trusted IPs.
Monitor for suspicious activity and scan for potential compromises on exposed servers.

Blocking unapproved RMM tools, enforcing multi-factor authentication, and applying attack surface reduction rules are additional protective measures.

References
• https://cybersecuritynews.com/iis-end-of-life-instances-exposed/