An enormous attack surface that includes old Microsoft Internet Information Services (IIS) servers This article explores iis daily vulnerable. . On March 23, 2026, during Shadowserver's daily network scans, researchers found more than 511,000 End-of-Life (EOL) IIS instances that were still connected to the internet.
This widespread exposure is a big security risk for businesses all over the world because these old servers don't get regular security updates anymore. Learn more about security awareness training Reports on the analysis of cyberattacks Courses on how to stay safe online Attackers often look for unpatched infrastructure on the internet to take advantage of known security holes, install malware, or gain initial access to corporate networks. 511,000+ IIS End-of-Life Instances The raw data that Shadowserver shared shows that the hygiene of the global internet infrastructure is not good. More than 227,000 of the 511,000 exposed EOL instances have finished the Microsoft Extended Security Updates (ESU) period.
This means that almost half of these servers are End-of-Support (EOS) and will never get important security updates, even if companies pay for extra coverage. The exposure is mostly in two big parts of the world. The most outdated IIS instances are currently in China and the United States.
Shadowserver now officially marks vulnerable servers as "eol-iis" and "eos-iis" in its daily Vulnerable HTTP reports to help security teams keep track of these exposures. Network administrators can use this raw IP data, which has been filtered by their specific network constituency, to find assets that are open to attack in their networks. Running EOL and EOS web servers makes an organization much more vulnerable to cyberattacks. The vendor officially stops looking for security flaws in software when it reaches the end of its lifecycle.
Find more Threat Intelligence feeds Email services that are safe Password managers If a new zero-day vulnerability is found in an old version of IIS, Microsoft will not make a public patch to fix it. Threat actors know how this works and are actively making automated tools to find and take advantage of these old systems. The Cybersecurity and Infrastructure Security Agency (CISA) always warns about the serious dangers of edge devices that are no longer supported.
Ransomware operators and Advanced Persistent Threat (APT) groups often use exposed web servers as a place to start their attacks. If an attacker gets into an outward-facing IIS server, they can move laterally into the internal network, steal private information, or spread malware across the whole infrastructure.
Mitigations Organizations must make it a top priority to find and protect their internet-facing infrastructure to stop immediate exploitation. To effectively lower their attack surface, security teams should do the following important things: Check the servers on your external network to see if any of them are running old versions of Microsoft IIS. Look at Shadowserver's Vulnerable HTTP reports to find IPs that are connected to your organization and are open to attack.
Update EOL servers to newer, supported versions of IIS and Windows Server. If you can't move right away, sign up for Microsoft's Extended Security Update program for your systems. Put legacy systems behind strong web application firewalls and only let certain IP addresses connect to them., LinkedIn, and X for daily updates on cybersecurity. Get in touch with us to have your stories featured.
