CyberNews researchers said they have identified over 2 million web servers running on outdated, out-of-service and vulnerable Microsoft Internet Information Services (IIS).

Since outdated versions of IIS are no longer supported by Microsoft, the researchers said they could easily compromise them, inject all sorts of malware, and even steal visitor data, which could include billing and authentication information.

Microsoft IIS is the third most popular web server in the world, serving at least 51.6 million websites and web applications worldwide, and has a market share of 12.4%. “While Microsoft provides relative security for newer versions with security updates and vulnerability fixes, older versions of IIS starting from 7.5 and below are no longer supported by the company. Like other types of outdated server software, all outdated versions of Microsoft IIS suffer from multiple critical security vulnerabilities, ”CyberNews notes.

The researchers examined five different versions of IIS with vulnerabilities. Collectively, they were found to serve over two million web servers. A total of 7.3 million potentially vulnerable servers were identified, but 72% of them turned out to be decoys.

IIS 7.0 with 17 known vulnerabilities turned out to be the most dangerous.

However, it runs on more than 47,000 web servers.

China turned out to be the country with the highest number of vulnerable installations, with 679,000 IIS servers. In second place is the United States with over 581,000 unprotected servers. In third place is Hong Kong, where more than 200,000 such servers were found, followed by South Korea and Germany.

CyberNews security researcher Mantas Sasnauskas believes that the situation is aggravated by the fact that web servers hosting public websites will also broadcast their outdated versions of IIS: “This means that running these servers on apparently vulnerable software is tantamount to inviting intruders to penetrate the network. “

Experts point out that there are more Microsoft IIS servers in China and Russia, as they are easier to install than Linux servers, and license costs are not a problem since they are mostly illegal versions of Windows.

Microsoft previously said it had patched a vulnerability in its Azure Container Services that could have been exploited by an attacker to “access customer information.” It also warned thousands of companies a week ago that a vulnerability in Azure could allow attackers to read, modify, or even delete documents from the Microsoft Azure Cosmos DB.