Security researchers at The Shadowserver Foundation have identified a massive internet-facing attack surface, discovering more than 511,000 End-of-Life Microsoft Internet Information Services (IIS) instances currently active online.
This widespread deployment of outdated web servers presents a significant security risk to global networks, as these systems no longer receive standard security updates from the vendor.
511,000+ End-of-Life IIS Instances Found Online
Recent daily scans conducted by Shadowserver reveal alarming statistics regarding the lifecycle stages of these exposed servers.
Of the 511,000 total End-of-Life (EOL) instances discovered, over 227,000 servers have completely surpassed their official Microsoft Extended Security Updates (ESU) period.
This means nearly half of the identified systems are in an End-of-Support (EOS) state, permanently cut off from even the paid security patches that Microsoft offers to legacy enterprise customers.
To help organizations identify and remediate these vulnerable assets, Shadowserver has updated its standard Vulnerable HTTP reports.
Network administrators receiving these reports will now see these outdated web servers explicitly flagged with “eol-iis” and “eos-iis” tags, providing clear visibility into the support status of their infrastructure.
The exposure of these outdated Microsoft IIS instances represents a critical global security challenge.
According to the raw IP data shared by the researchers, the majority of these vulnerable deployments are heavily concentrated in two countries: China and the United States.
Shadowserver has made this telemetry available to network owners and national Computer Emergency Response Teams to facilitate targeted remediation efforts.
Security professionals can track this data through Shadowserver’s live dashboard maps. The dashboards provide a stark visual representation of both the standard EOL servers and the more critically exposed EOS instances that have exceeded their extended lifecycle.
Security Risks and Mitigation
Running internet-facing software that has reached its end of life dramatically expands an organization’s attack surface.
The Cybersecurity and Infrastructure Security Agency (CISA) consistently warns against the dangers of maintaining unsupported edge devices.
When a new vulnerability is discovered in an EOL product, the vendor will not release a patch, leaving the system permanently defenseless against automated exploitation, ransomware deployment, and initial access brokers.
Because Microsoft IIS acts as a primary web server and gateway to internal networks, threat actors frequently target these systems to establish a foothold.
To mitigate these severe risks, administrators must immediately identify any legacy IIS instances within their environments.
Organizations are strongly advised to consult the official Microsoft IIS lifecycle documentation, migrate critical services to modern and supported web server platforms, and immediately decommission legacy systems that are no longer maintained.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
