Over 511,000 End-of-Life Microsoft IIS Servers Exposed Online

Security researchers have uncovered a massive global security risk involving outdated Microsoft Internet Information Services (IIS) servers.

According to new findings from The Shadowserver Foundation, more than 511,000 internet-facing IIS instances are currently running versions that have reached end-of-life (EOL), exposing organizations to serious cyber threats.

The scale of the issue is particularly concerning. Out of the 511,000 identified EOL IIS servers, over 227,000 have gone beyond Microsoft’s Extended Security Updates (ESU) program.

https://twitter.com/Shadowserver/status/2036017138750861391?ref_src=twsrc%5Etfw

This means these systems are now in an End-of-Support (EOS) state, where they no longer receive any security patches, paid or otherwise. As a result, these servers are effectively defenseless against newly discovered vulnerabilities.

Shadowserver’s continuous internet scanning highlights how widespread the problem has become.

These outdated servers are still actively exposed to the internet, significantly increasing the global attack surface.

The majority of these vulnerable deployments are concentrated in China and the United States, although affected systems are distributed worldwide.

To improve visibility and assist defenders, Shadowserver has updated its Vulnerable HTTP reporting system.

Network administrators receiving these reports will now see specific tags such as “eol-iis” and “eos-iis,” clearly indicating whether a server is outdated or completely unsupported.

This tagging system is designed to help organizations quickly identify high-risk assets and prioritize remediation.

The security implications of running EOL IIS servers are severe. Unsupported systems do not receive patches for newly discovered vulnerabilities, making them prime targets for threat actors.

Attackers often scan the internet for such systems to exploit known flaws, deploy ransomware, or gain initial access into corporate networks.

Since IIS commonly acts as a front-facing web server, a successful compromise can provide attackers with a direct pathway into internal infrastructure.

Government agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), have repeatedly warned against the continued use of unsupported software, especially on internet-facing systems.

These systems are frequently leveraged by initial access brokers, who sell compromised access to other threat actors, further amplifying the risk.

To address this growing issue, organizations must take immediate action. The first step is to identify all IIS instances within their environment and determine their support status.

Administrators should consult Microsoft’s official lifecycle documentation to verify whether their deployments are still supported.

If outdated systems are identified, organizations should prioritize migrating services to supported versions of IIS or alternative modern web server platforms.

In cases where migration is not feasible, systems should be isolated from the internet or decommissioned entirely to reduce exposure.

Shadowserver has also made its scan data available to network operators and national Computer Emergency Response Teams (CERTs), enabling coordinated remediation efforts.

Additionally, its live dashboards provide real-time visibility into the distribution of EOL and EOS systems, helping security teams track and respond to risks more effectively.

The discovery of over half a million exposed EOL IIS servers highlights a persistent challenge in cybersecurity: legacy system management.

Without timely upgrades and proper asset visibility, organizations risk leaving critical infrastructure open to exploitation.

Immediate remediation is essential to reduce the global attack surface and prevent potential large-scale cyber incidents.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Over 511,000 End-of-Life Microsoft IIS Servers Exposed Online appeared first on Cyber Security News.