Millions of Microsoft servers are running on vulnerable legacy software

security threat
(Image credit:

Researchers from CyberNews say they have identified over two million web servers powered by outdated, unmaintained, and vulnerable versions of Microsoft Internet Information Services (IIS) web server.

According to the researchers, since the legacy IIS releases versions are no longer supported by Microsoft, threat actors can easily compromise them to inject all kinds of malware, and even exfiltrate visitors’ data, which could include login and payment information, depending on the nature of the website it powers.

Microsoft IIS is reportedly the third most-popular web server in the world, powering over 50 million websites for a market share of just over 12%. 

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

“While Microsoft keeps the newer versions relatively safe by releasing security updates and vulnerability hotfixes, older IIS versions from 7.5 downwards are no longer supported by the company. And like other types of outdated server software, all legacy versions of Microsoft IIS suffer from numerous critical security vulnerabilities,” CyberNews explained.

Outdated servers galore

Armed with this information, Cybernews researchers identified five different IIS versions and subversions that weren’t maintained and had publicly known vulnerabilities.

It then searched for these vulnerable IIS installations, and while a majority turned out to be honeypots, over two million were found serving genuine use cases.

While all legacy IIS versions were susceptible to attacks, version 7.0 with 17 known vulnerabilities emerged as the most harmful. Surprisingly, it was found running on over 47,000 web servers.

Upon further investigation, with more than 679,000 vulnerable IIS servers, China emerged as the country with the most number of susceptible installations. Surprisingly though, the US with over 581,000 unprotected IIS servers wasn’t far behind in second place.

CyberNews security researcher Mantas Sasnauskas believes the situation is further aggravated by the fact that the web servers that host public websites would also be broadcasting their outdated IIS versions for everyone to see.

“This means that running these servers on visibly vulnerable software is tantamount to extending an invitation to threat actors to infiltrate their networks,” Sasnauskas sums up.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.