CVE-1999-0504

Windows NT and Windows 2000 - Unauthenticated Local Account Access via Default Null Password

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-1999-0504. PoCs published by Metasploit, hdm, Ben Campbell, including Metasploit module auxiliary/scanner/smb/psexec_loggedin_users.

AI-analyzed exploit summary This Metasploit module exploits CVE-1999-0504 by leveraging SMB authentication to upload and execute a payload as a service on Windows systems, similar to SysInternals' PsExec. It requires valid administrator credentials and creates a temporary service to achieve remote code execution.

Description

A Windows NT local user or administrator account has a default, null, blank, or missing password.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16374

This Metasploit module exploits CVE-1999-0504 by leveraging SMB authentication to upload and execute a payload as a service on Windows systems, similar to SysInternals' PsExec. It requires valid administrator credentials and creates a temporary service to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (various versions)
Auth required
Prerequisites: Valid administrator username and password or hash · SMB access to the target · Write permissions to ADMIN$ share
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb

This Metasploit module enumerates logged-in users on a Windows system by querying the HKU registry key via SMB, using valid administrator credentials. It leverages psexec-like functionality to execute commands remotely and parse registry output.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (SMB/Registry)
Auth required
Prerequisites: Valid administrator credentials · SMB access (port 445) · Writeable share (e.g., C$)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC MANUAL
by hdm · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/psexec.rb

This Metasploit module exploits valid administrator credentials to execute arbitrary payloads on Windows systems via SMB, similar to SysInternals' PsExec. It supports multiple execution methods including PowerShell, native upload, MOF upload, and command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (various versions)
Auth required
Prerequisites: Valid administrator username and password or password hash · SMB access to the target system · Appropriate network access and permissions
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Ben Campbell · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/powershell_remoting.rb

This Metasploit module exploits PowerShell Remoting (WinRM) to execute arbitrary commands on target machines via TCP 47001. It supports both IP ranges and host files for targeting, and can authenticate using provided credentials.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows PowerShell Remoting (WinRM)
Auth required
Prerequisites: PowerShell Remoting enabled on target · Valid credentials if authentication is required · Network access to TCP 47001
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by egypt, jabra · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/current_user_psexec.rb

This Metasploit module exploits CVE-1999-0504 by uploading an executable to a victim system, creating a share, and starting a remote service via a UNC path to achieve remote code execution using the current user's token. It supports both SMB and PowerShell techniques for payload delivery.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows systems with vulnerable SMB/service configurations
Auth required
Prerequisites: Valid session with administrative privileges · SMB access to target systems · Ability to create shares and services
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Ben Campbell · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/wmi.rb

This Metasploit module exploits CVE-1999-0504 by leveraging WMI (Windows Management Instrumentation) to execute PowerShell payloads remotely via WMIC commands, using the current user's authentication token. It supports both direct execution and chunked payload delivery via environment variables for systems without ExtAPI support.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows Management Instrumentation (WMI)
Auth required
Prerequisites: Remote WMI access enabled · Valid user credentials or session token · Network access to TCP port 135 and ephemeral ports
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1
Core References
Third Party Advisory, VDB Entry x_refsource_misc
https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0504

Scores

EPSS 0.6370
EPSS Percentile 99.1%

Details

Status published
Products (2)
microsoft/windows_2000
microsoft/windows_nt
Published Jan 01, 1997
Tracked Since Feb 18, 2026