Over 511,000 outdated Microsoft IIS servers are still online, and many have no patch path left

More than 511,000 internet-facing Microsoft IIS instances are running on end-of-life software, according to new data shared by The Shadowserver Foundation on March 23, 2026. The finding matters because unsupported IIS versions no longer receive normal security updates, and a large share of the exposed systems appear to sit even beyond Microsoft’s Extended Security Updates window.

Shadowserver has now added dedicated tags for these systems in its daily Vulnerable HTTP reporting, using the labels eol-iis and eos-iis. That gives defenders a clearer way to spot legacy IIS servers in their own exposure data and start cleanup faster.

The security concern is simple. Internet-facing web servers often serve as an entry point. When those servers run software that has already fallen out of support, defenders lose the safety net of ongoing vendor fixes, while attackers keep scanning for known weaknesses and weak configurations. CISA has repeatedly warned that unsupported software and edge systems create significant security risk and has pushed federal agencies to identify and remove end-of-support edge devices.

What Shadowserver reported

Several outlets that cited Shadowserver’s March 23 data said the nonprofit found more than 511,000 exposed end-of-life IIS instances online, including more than 227,000 that had also passed Microsoft’s Extended Security Updates period. I could confirm Shadowserver’s official reporting page and its new eol-iis and eos-iis tagging, but I could not independently verify the exact 511,000 and 227,000 totals from a publicly viewable Shadowserver dataset page. Those figures appear in reporting that cites Shadowserver’s daily scans and social updates.

That distinction matters. The broad conclusion is well supported: a very large number of IIS servers remain exposed on obsolete software. The precise totals may shift from day to day because Shadowserver’s scans update continuously.

Why outdated IIS remains risky

IIS follows the lifecycle of the Windows version underneath it. Microsoft’s lifecycle page shows that IIS 8.5 on Windows Server 2012 R2 reached end of support on October 10, 2023, while older releases such as IIS 7.5 and IIS 7.0 ended support years earlier. Microsoft also notes that Extended Security Updates are available only for specific products and only for up to three additional years past end of support.

Microsoft’s Windows Server end-of-support page also shows that Windows Server 2012 ESUs end on October 13, 2026, while Windows Server 2016 extended support ends on January 11, 2027, after which ESUs begin for eligible deployments. In plain terms, some legacy IIS environments may still sit in a temporary paid support bridge, but many older combinations no longer have any practical patch runway left.

Once a server reaches end of support, organizations face three problems at once:

• New vulnerabilities may go unpatched
• Old security guidance often goes ignored on stale systems
• Public-facing services give attackers a direct target

Over 511 000 End-of-Life Microsoft IIS instances seen in our daily scans, out of those over 227 000 instances that are beyond the official Microsoft Extended Security Updates (ESU) period. We now tag those 'eol-iis' and 'eos-iis' respectively in our Vulnerable HTTP reports. pic.twitter.com/PKZqQpmQuf

— The Shadowserver Foundation (@Shadowserver) March 23, 2026

CISA has said unsupported software and hardware pose significant security risk because new and existing vulnerabilities may never get fixed by the vendor. Its 2026 directive on end-of-support edge devices also pushes agencies to identify unsupported systems quickly and begin removing them from federal environments.

IIS lifecycle snapshot

IIS version	Platform example	Microsoft support status from official lifecycle page
IIS 8.5	Windows Server 2012 R2	Ended October 10, 2023
IIS 8.0	Windows Server 2012	Ended October 10, 2023
IIS 7.5	Windows Server 2008 R2	Ended January 14, 2020
IIS 7.0	Windows Server 2008	Ended January 14, 2020
IIS 6.0	Windows Server 2003	Ended July 14, 2015

Source: Microsoft Lifecycle for Internet Information Services.

What admins should do now

Security teams should treat internet-facing legacy IIS like urgent technical debt. If a full migration cannot happen this week, teams should still reduce exposure immediately while they plan a move.

Priority actions:

• Inventory all public-facing IIS servers and map each one to its Windows Server version
• Check Shadowserver’s Vulnerable HTTP reports for eol-iis and eos-iis tags tied to your network
• Move supported workloads to a current Windows Server and IIS stack
• Use ESUs only as a short bridge where Microsoft still offers them
• Restrict public access, segment legacy servers, and place them behind tightly managed controls
• Review logs and web roots for signs of compromise before and after remediation

Shadowserver says organizations that receive its reports should review affected systems and their networks for signs of compromise, especially because many items in its critical HTTP reporting relate to widely exploited exposure. CISA also recommends reducing exposure of internet-accessible systems and accelerating remediation for vulnerable edge assets.

Quick take

This is not a new IIS flaw. It is a visibility warning about old IIS still sitting on the public internet. That makes it more of an exposure story than a single-vulnerability story.

The main risk comes from age, reachability, and patch exhaustion. If your organization still runs IIS on Windows Server 2012, 2012 R2, 2008, or older, you should assume attackers can find it just as easily as defenders can.

FAQ