CVE-2000-0649

Microsoft IIS HTTP Internal IP Disclosure

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2000-0649. PoCs published by Dougal Campbell, rafaelh, Downgraderz.

AI-analyzed exploit summary This is a writeup describing an information leakage vulnerability in Microsoft IIS where the internal IP address is disclosed in error messages when accessing a basic authentication-protected area with HTTP 1.0 or specific HTTP methods like PROPFIND.

Description

IIS 4.0 allows remote attackers to obtain the internal IP address of the server via an HTTP 1.0 request for a web page which is protected by basic authentication and has no realm defined.

Exploits (4)

exploitdb WRITEUP VERIFIED
by Dougal Campbell · textremotewindows
https://www.exploit-db.com/exploits/20096

This is a writeup describing an information leakage vulnerability in Microsoft IIS where the internal IP address is disclosed in error messages when accessing a basic authentication-protected area with HTTP 1.0 or specific HTTP methods like PROPFIND.

Classification
Writeup 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS
No auth needed
Prerequisites: Network access to the target IIS server
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 8 stars
by rafaelh · poc
https://github.com/rafaelh/CVE-2000-0649

The repository contains a Python script that scans for CVE-2000-0649, an information disclosure vulnerability affecting IIS, NGINX, and Apache. The script sends an HTTP request to the target and checks the response for internal IP addresses using regex.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: IIS, NGINX, Apache
No auth needed
Prerequisites: Network access to the target server on port 443
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER
by Downgraderz · poc
https://github.com/Downgraderz/PoC-CVE-2000-0649

The repository contains a Python script that checks for CVE-2000-0649 by sending an HTTP request and analyzing the response for internal IP addresses, indicating potential information disclosure. It does not exploit the vulnerability but scans for its presence.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS (Internet Information Services)
No auth needed
Prerequisites: Network access to the target server · Target server running a vulnerable version of Microsoft IIS
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER
by stevenvegar · poc
https://github.com/stevenvegar/cve-2000-0649

The repository contains a Python script that scans for CVE-2000-0649, an information disclosure vulnerability in Microsoft IIS and potentially Apache servers. The script sends an HTTP request and checks the response header for internal IP addresses disclosed in the Location field.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS 2.0-5.0, potentially Apache 2.4.29
No auth needed
Prerequisites: Network access to the target server · Target server running a vulnerable version of IIS or Apache
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Patch, Vendor Advisory mailing-list x_refsource_ntbugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0025.html
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/1499

Scores

EPSS 0.7656
EPSS Percentile 99.5%

Details

CWE
CWE-200
Status published
Products (4)
microsoft/internet_information_server 3.0
microsoft/internet_information_server 4.0
microsoft/internet_information_services 2.0
microsoft/internet_information_services 5.0
Published Jul 13, 2000
Tracked Since Feb 18, 2026