What happened
Security researchers identified over 511,000 publicly exposed Microsoft Internet Information Services (IIS) servers running end-of-life software that no longer receives security updates, significantly expanding the global attack surface. The findings, based on large-scale internet scans conducted by the Shadowserver Foundation, show that many of these systems are tied to outdated Windows environments, with nearly half having already surpassed even extended security support periods. Because IIS follows the lifecycle of the underlying Windows OS, these servers are likely running unsupported operating systems as well, making them highly susceptible to exploitation by attackers targeting known vulnerabilities. Researchers warned that such systems are effectively “sitting ducks” for cybercriminals, who routinely scan for and exploit unpatched web servers and edge infrastructure.
Who is affected
Organizations worldwide operating Microsoft IIS servers on unsupported or unpatched Windows systems are affected, particularly those with internet-facing infrastructure that remains exposed.
Why CISOs should care
End-of-life systems no longer receive security updates, making them predictable and high-value targets for attackers who can exploit known vulnerabilities at scale.
3 practical actions
- Identify and replace end-of-life systems. Upgrade or decommission IIS servers running unsupported versions.
- Reduce exposure of legacy infrastructure. Remove outdated servers from public internet access where possible.
- Implement lifecycle management controls. Track software support timelines to prevent similar exposure risks in the future.
For more coverage of newly disclosed security flaws and systemic exposure risks, explore our reporting under the Vulnerabilities tag.