CVE-1999-1575

Internet Explorer 4.01/5.0 - Arbitrary File Write and Command Execution via ActiveX Controls

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-1999-1575. PoCs published by Shane Hird.

AI-analyzed exploit summary This exploit leverages a buffer overflow in the setupctl ActiveX control in Microsoft Internet Explorer 4.0. It overwrites the return address with a JMP ESP instruction from SHELL32 and executes arbitrary shellcode to launch CALC.EXE.

Description

The Kodak/Wang (1) Image Edit (imgedit.ocx), (2) Image Annotation (imgedit.ocx), (3) Image Scan (imgscan.ocx), (4) Thumbnail Image (imgthumb.ocx), (5) Image Admin (imgadmin.ocx), (6) HHOpen (hhopen.ocx), (7) Registration Wizard (regwizc.dll), and (8) IE Active Setup (setupctl.dll) ActiveX controls for Internet Explorer (IE) 4.01 and 5.0 are marked as "Safe for Scripting," which allows remote attackers to create and modify files and execute arbitrary commands.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Shane Hird · textremotewindows
https://www.exploit-db.com/exploits/19515

This exploit leverages a buffer overflow in the setupctl ActiveX control in Microsoft Internet Explorer 4.0. It overwrites the return address with a JMP ESP instruction from SHELL32 and executes arbitrary shellcode to launch CALC.EXE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer 4.0 (Windows 95/NT 4)
No auth needed
Prerequisites: Victim must be using Internet Explorer 4.0 with the vulnerable ActiveX control installed · ActiveX must be enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
remotewindows
https://www.exploit-db.com/exploits/19521

This is a functional proof-of-concept exploit for a buffer overflow vulnerability in the hhopen OLE control (hhopen.ocx) in older versions of Internet Explorer. The exploit uses a long string to overflow the buffer and overwrite the return address, leading to arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer 5.0/4.0.1 with hhopen.ocx (1.0.0.1)
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit · Target system must have vulnerable hhopen.ocx installed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
localwindows
https://www.exploit-db.com/exploits/19528

This is a functional exploit for a buffer overflow vulnerability in the Internet Explorer Registration Wizard control (regwizc.dll). It leverages a long string with a '/i' prefix to overflow the buffer, overwrite the return address, and execute arbitrary commands (e.g., CALC.EXE) via shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer 4.1/5.0 (regwizc.dll)
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit · Target system must be running Windows 95/98/NT 4 with vulnerable IE version
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (8)

Core 8
Core References
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/41408
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/24839
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/26924
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/9162
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/7097
Exploit mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/28719
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/23412

Scores

EPSS 0.3563
EPSS Percentile 98.3%

Details

Status published
Products (2)
microsoft/internet_explorer 4.0.1
microsoft/internet_explorer 5.0
Published Sep 10, 1999
Tracked Since Feb 18, 2026