A zero-day in IIS 6.0 can allow attackers to compromise and take over Windows servers. The vulnerability only affects the IIS WebDAV service included by default in all IIS distributions. Chinese researchers say they’ve identified attacks with this vulnerability going back to July and August 2016. Microsoft acknowledged the flaw, but said it couldn’t patch it as it affected EOL products, for which it doesn’t issue updates anymore. Cyber-security firm 0patch has provided a temporary patch for this issue, that server owners can apply.
Source: https://www.bleepingcomputer.com/news/security/new-iis-6-0-zero-day-exploited-in-live-attacks-since-july-2016/