Exposure of End-of-Life Microsoft IIS Servers in Bangladesh

Published on 24-Mar-2026 14:00:00

Executive Summary

Recent global scanning data shows that over 511,000 internet-facing Microsoft Internet Information Services (IIS) servers running End-of-Life (EOL) versions are exposed worldwide. Alarmingly, as of yesterday, 452 unique IP addresses in Bangladesh were found running outdated IIS services. These systems no longer get security patches or vulnerability updates from Microsoft. This exposure poses a serious cybersecurity risk to organizations across Bangladesh, potentially leading to data breaches, ransomware infections, service outages, or unauthorized access to critical infrastructure.

BGD e-GOV CIRT strongly recommends that every organization in Bangladesh using Microsoft IIS immediately inventory their systems, isolate exposed servers, and migrate to supported platforms without delay.

Figure: Over 450 Identified Vulnerable IPs with End-of-Life IIS Service Exposed Across Bangladesh


Microsoft IIS Lifecycle and Support Status

Microsoft Internet Information Services (IIS) support is tied to the underlying Windows Server operating system. Many organizations are still running outdated versions that have reached End-of-Life (EOL) or End-of-Support (EOS); meaning no further security patches are available.

Key EOL Versions Identified:

  1. IIS 8.5 (Windows Server 2012 R2)
  2. IIS 8.0 (Windows Server 2012)
  3. IIS 7.5 (Windows Server 2008 R2)
  4. IIS 7.0 (Windows Server 2008)
  5. IIS 6.0 (Windows Server 2003)

Currently Supported Versions (Recommended):

  1. IIS 10 on Windows Server 2019 and Windows Server 2022
  2. IIS 10.x on newer Windows Server 2025 deployments

Note on Extended Security Updates (ESU):

ESU is available only for Windows Server 2012 and 2012 R2 until 13 October 2026. No ESU exists for older versions (2008/2008 R2 or earlier). Organizations still on 2012/2012 R2 should enroll in ESU immediately if full migration is not yet possible.


Threat Landscape and Risks

  1. EOL IIS servers are easily discovered by attackers and often exploited within hours of exposure.
  2. These systems are frequently used as entry points for ransomware, data theft, and lateral movement into internal networks.
  3. Compromised IIS servers can disrupt government services, banking operations, e-commerce platforms, educational portals, and healthcare systems.


Immediate Recommended Actions

Inventory All IIS Servers within your organization

Scan your network for IIS installations using commands like Get-WindowsFeature -Name Web-Server or vulnerability scanning tools such as Nessus or OpenVAS, which can detect IIS services, versions, and associated vulnerabilities.

Prioritize Remediation

Internet-facing servers first – these pose the highest risk.

Migrate applications to supported IIS 10 on Windows Server 2019/2022, or switch to modern alternatives (Nginx, Apache on Linux, cloud services like Azure App Service).

For Windows Server 2012/2012 R2: Enroll in Extended Security Updates (ESU) before the 13 October 2026 deadline.

For Windows Server 2008/2003 or earlier: Decommission or fully air-gap these systems immediately.

Temporary Hardening Measures (if immediate migration is not possible)

Place servers behind a Web Application Firewall (WAF).

Implement strict IP whitelisting and disable unnecessary features (WebDAV, FTP, etc.).

Enable comprehensive logging and 24/7 monitoring.

Network-Level Protections

Apply egress filtering to block unauthorized outbound traffic.

Conduct regular vulnerability scanning and patch management.

Report to BGD e-GOV CIRT

Immediately report any Indicators of Compromise (IOCs), suspicious activity, or cyber incidents to BGD e-GOV CIRT at: cti@cirt.gov.bd, info@cirt.gov.bd


References

  1. Shadowserver Foundation EOL IIS Reports: https://www.linkedin.com/posts/the-shadowserver-foundation_cybercivildefense-cybersecurity-attacksurface-activity-7441785045998174208-0Vti/
  2. Microsoft IIS Lifecycle: https://learn.microsoft.com/en-us/lifecycle/products/internet-information-services-iis
  3. Microsoft ESU FAQ: https://learn.microsoft.com/en-us/lifecycle/faq/extended-security-updates#esu-availability-and-end-dates


Downoad PDF version

Similar Posts