While security support for Windows 2003 server & IIS 6 ended almost two years ago, there are implementations still running for the Intranet or corporately on Intranets (in legacy mode).  Administrators should move to newer operating systems and also look for mitigating controls right away for these new concerns. 

https://www.us-cert.gov/ncas/current-activity/2017/03/30/Internet-Information-Services-IIS-60-Vulnerability

US-CERT is aware of active exploitation of a vulnerability in Windows Server 2003 Operating System Internet Information Services (IIS) 6.0. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system.

On June 15, 2015, Microsoft ended support for Windows Server 2003 Operating System, which includes its Internet Information Services (IIS) 6.0 web server. Computers running Windows Server 2003 Operating System and its associated programs will continue to work even after support ends. However, using unsupported software may increase the risks of viruses and other security threats.

US-CERT encourages users and administrators to review the National Vulnerability Database entry on this vulnerability, as well as US-CERT Alert TA14-310A.