A massive attack surface involving outdated Microsoft Internet Information Services (IIS) servers. During Shadowserver’s daily network scans on March 23, 2026, researchers identified over 511,000 End-of-Life (EOL) IIS instances actively connected to the internet.
This widespread exposure presents a serious security risk for organizations worldwide, as these obsolete servers no longer receive standard security patches.
Attackers frequently scan the internet for unpatched infrastructure to exploit known vulnerabilities, deploy malware, or establish initial access into corporate networks.
511,000+ IIS End-of-Life Instances
The raw data shared by Shadowserver paints a concerning picture of global internet infrastructure hygiene. Of the 511,000 exposed EOL instances, over 227,000 have fully completed the Microsoft Extended Security Updates (ESU) period.
This means nearly half of these servers are End-of-Support (EOS) and will never receive critical security fixes, even if organizations pay for extended coverage.
Geographically, the exposure is heavily concentrated in two major global regions. China and the United States currently host the highest number of these outdated IIS instances.
To help security teams track these exposures, Shadowserver now officially tags vulnerable servers as ‘eol-iis’ and ‘eos-iis’ in its daily Vulnerable HTTP reports.
Over 511 000 End-of-Life Microsoft IIS instances seen in our daily scans, out of those over 227 000 instances that are beyond the official Microsoft Extended Security Updates (ESU) period. We now tag those 'eol-iis' and 'eos-iis' respectively in our Vulnerable HTTP reports. pic.twitter.com/PKZqQpmQuf— The Shadowserver Foundation (@Shadowserver) March 23, 2026
Network administrators can access this raw IP data, filtered by their specific network constituency, to identify exposed assets within their environments.
Operating EOL and EOS web servers significantly increases an organization’s susceptibility to cyberattacks. When software reaches the end of its lifecycle, the vendor officially stops monitoring it for security flaws.
If a new zero-day vulnerability is discovered in an outdated version of IIS, Microsoft will not release a public patch to fix it. Threat actors understand this dynamic and actively build automated tools to detect and exploit these specific legacy systems.
The Cybersecurity and Infrastructure Security Agency (CISA) consistently warns about the severe risks associated with end-of-support edge devices.
Exposed web servers often serve as the perfect foothold for ransomware operators and Advanced Persistent Threat (APT) groups.
Once an attacker compromises an outward-facing IIS server, they can pivot laterally into the internal network, steal sensitive data, or deploy malicious payloads across the broader infrastructure.
Mitigations
Organizations must prioritize identifying and securing their internet-facing infrastructure to prevent immediate exploitation.
Security teams should follow these crucial steps to reduce their attack surface effectively:
Audit external network assets to locate any servers running legacy versions of Microsoft IIS.
Review Shadowserver’s Vulnerable HTTP reports to identify exposed IPs associated with your organization.
Upgrade EOL servers to modern, supported versions of Windows Server and IIS.
Enroll systems in Microsoft’s Extended Security Update program if an immediate migration is technically impossible.
Isolate legacy systems behind robust web application firewalls and restrict access to only essential IP addresses.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post 511,000+ End-of-Life Microsoft IIS Instances Exposed Online, Secure Now! appeared first on Cyber Security News.
