A vulnerability has been discovered in Windows 2003 Servers running IIS (Internet Information Services) 6.0. The exploit code takes advantage of a function within the WebDav service, allowing remote attackers to execute arbitrary code. Microsoft declared Windows Server 2003 end of life as of July 14, 2015, meaning no security patches will be released for the operating system.

This should be a big enough driver to upgrade to a supported operating system, such as Windows 2008 Server or later. However, this vulnerability should add more urgency to anyone in this situation.

Integrity360 recommends powering off / decommissioning any servers that match this criteria as you are directly exposed. If there is a critical operational reason for why this cannot happen, at least disable the WebDav service in the interim.