MD5 Preimage Vulnerability in 2017

MD5 should be considered completely compromised for password use, and has been "deprecated" for passwords for a long time. It doesn't even have to involve preimage attacks or explicit vulnerabilities. It is as simple as the fact that the hash rate for modern GPU stacks against MD5 is so fast that you can feasibly brute force nearly any password (okay, I exaggerate slightly)

This is an extreme setup, but it can run through almost 200 billion hashes per second. That means it can guess about 200 billion passwords every second if they are hashed as MD5. I don't have an exact translation but as you can imagine, being able to try 200 billion password guesses every second means that even strong passwords can get easily cracked. The article suggests that it can crack a 14 character windows XP password (which is slightly weaker, and has roughly double the hash rate as for MD5) in just 7 minutes.

More realistic hashing setups might hash passwords at roughly a tenth of that rate, but even still it is quite possible to brute force any realistic password that is hashed with MD5.

Edit to address the second half of your question

Is this an immediate threat? Yes and no. In practical terms it is a theoretical threat, as your passwords will only be vulnerable in the event that this internal system is breached. However, the more you read about the very involved kind of hacks that criminals go through when they want something, the more you realize how important it is to have thorough security at every level of the system. I personally believe that internal systems should be as secure as external systems. Here is a good example of a time that bad security lead to expensive breaches:

https://gizmodo.com/hackers-found-a-new-way-to-rip-off-atms-1818859798

Moreover, the other issue is that MD5 has been "out-of-fashion" for password storage for quite a long while now. I would be very concerned that the rest of their security is equally out-of-date, and that this internal system of yours is full of security holes.

Another edit

An important thought to keep in mind: with these things an important consideration is the potential damage done in the event of a breach. I don't know what this internal system does, but there is one important bit of sensitive information it definitely stores: your user's passwords. Even if that is all it stores, it is potentially dangerous. Here is a very plausible worse-case scenario. What are the odds that you have an administrator that has a user account on this internal system? If so, what are the odds that that person used the same password for the internal system as the did for the password to administer, say, your company-wide email system? If so it is a short hop, skip, and jump from cracking an MD5 password to taking control of your email system, and from there to probably any aspect of your company that is web-facing.

While you try to work things out with the people who manage your internal system, you can think through this thought process yourself and take appropriate steps: "If a malicious user managed to get a hold of the password to email account X, how much trouble could they cause?". You would be surprised how many companies out there have effectively their entire system dependent upon the security of a single email account, and that without any 2FA. If that is the case for your company you should fix that, regardless of what this third-party vendor says. Otherwise your worst-case-scenario is very bad, and this internal system is just one of many ways in which a malicious attacker may be able to cripple your company.