CVE-1999-0975

Windows 95 and 98 - Local Command Execution via Help File Topic Action

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-1999-0975. PoCs published by Pauli Ojanpera.

AI-analyzed exploit summary This exploit leverages the Windows Help system's ability to execute arbitrary commands via modified *.cnt files. By editing the WDMAIN8.CNT file to include a malicious entry, an attacker can trigger the execution of CMD.EXE when a user selects a specific help topic.

Description

The Windows help system can allow a local user to execute commands as another user by editing a table of contents metafile with a .CNT extension and modifying the topic action to include the commands to be executed when the .hlp file is accessed.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Pauli Ojanpera · textlocalwindows
https://www.exploit-db.com/exploits/19673

This exploit leverages the Windows Help system's ability to execute arbitrary commands via modified *.cnt files. By editing the WDMAIN8.CNT file to include a malicious entry, an attacker can trigger the execution of CMD.EXE when a user selects a specific help topic.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Windows Help System (winhlp32.exe)
No auth needed
Prerequisites: Access to modify WDMAIN8.CNT file · User interaction to trigger the help topic
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/868

Scores

EPSS 0.0270
EPSS Percentile 84.0%

Details

Status published
Products (3)
microsoft/windows_95
microsoft/windows_98
microsoft/windows_nt 4.0
Published Dec 10, 1999
Tracked Since Feb 18, 2026