CVE-2000-0884

EXPLOITED

Internet Information Server 4.0-5.0 - Path Traversal and Remote Code Execution via Unicode-Encoded URL

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2000-0884 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 9 public exploits from researchers including Optyx, Roelof Temmingh, steeLe.

AI-analyzed exploit summary This exploit targets a directory traversal vulnerability in Microsoft IIS 4.0/5.0 via Unicode encoding manipulation. It allows remote command execution by traversing directories to access cmd.exe and execute arbitrary commands.

Description

IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability.

Exploits (9)

exploitdb WORKING POC VERIFIED
by Optyx · cremotewindows
https://www.exploit-db.com/exploits/190

This exploit targets a directory traversal vulnerability in Microsoft IIS 4.0/5.0 via Unicode encoding manipulation. It allows remote command execution by traversing directories to access cmd.exe and execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS 4.0/5.0
No auth needed
Prerequisites: Network access to vulnerable IIS server · IIS 4.0/5.0 with default configurations
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Roelof Temmingh · perlremotewindows
https://www.exploit-db.com/exploits/192

This Perl script exploits the IIS Unicode vulnerability (CVE-2000-0884) to achieve remote command execution by leveraging directory traversal via Unicode-encoded characters. It first checks for the presence of a copied cmd.exe (sensepost.exe) and copies it if missing, then executes arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS 4.0/5.0
No auth needed
Prerequisites: Vulnerable IIS server with Unicode directory traversal flaw · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by steeLe · perlremotewindows
https://www.exploit-db.com/exploits/191

This Perl script exploits a Unicode directory traversal vulnerability in IIS 4.0/5.0 (CVE-2000-0884) by sending crafted HTTP requests to execute arbitrary commands (e.g., `cmd.exe /c dir`). It checks multiple Unicode-encoded traversal sequences and logs vulnerable hosts.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS 4.0/5.0
No auth needed
Prerequisites: Network access to target IIS server · IIS 4.0/5.0 with vulnerable Unicode parsing
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by incubus · cremotewindows
https://www.exploit-db.com/exploits/189

This exploit targets a directory traversal vulnerability in IIS 4/5 via a malformed URL to execute arbitrary commands through cmd.exe. It sends an HTTP GET request with encoded traversal sequences to achieve remote command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Internet Information Services (IIS) 4.0/5.0
No auth needed
Prerequisites: Network access to the target IIS server · IIS 4.0/5.0 with vulnerable configuration
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb SCANNER VERIFIED
by Roelof Temmingh · perlremotewindows
https://www.exploit-db.com/exploits/20299

This Perl script tests for the Unicode directory traversal vulnerability (CVE-2000-0884) in Microsoft IIS 4.0/5.0 and Personal Web Server by sending HTTP requests with encoded traversal sequences to check if arbitrary file access is possible.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS 4.0, 5.0, Personal Web Server
No auth needed
Prerequisites: Network access to the target web server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Andrea Spabam · perlremotewindows
https://www.exploit-db.com/exploits/20302

This exploit leverages Unicode directory traversal vulnerabilities in Microsoft IIS 4.0/5.0 to execute arbitrary commands via `cmd.exe`. It includes multiple encoded paths to bypass security filters and achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 4.0/5.0
No auth needed
Prerequisites: Network access to vulnerable IIS server · Target server must be running IIS 4.0/5.0 with Unicode traversal vulnerability
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by BoloTron · phpremotewindows
https://www.exploit-db.com/exploits/20301

This exploit leverages Unicode directory traversal in Microsoft IIS 4.0/5.0 to execute arbitrary commands via `cmd.exe`. It includes multiple attack vectors to bypass security checks and achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS 4.0/5.0, Microsoft Personal Web Server
No auth needed
Prerequisites: Network access to vulnerable IIS server · Knowledge of target paths
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by zipo · cremotewindows
https://www.exploit-db.com/exploits/20300

This exploit leverages a Unicode directory traversal vulnerability in Microsoft IIS 4.0/5.0 to execute arbitrary commands via cmd.exe. It sends crafted HTTP requests with encoded traversal sequences to bypass security checks and achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS 4.0/5.0
No auth needed
Prerequisites: Network access to vulnerable IIS server · Knowledge of target paths
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Gabriel Maggiotti · cremotewindows
https://www.exploit-db.com/exploits/20298

This exploit targets CVE-2000-0884, a directory traversal vulnerability in Microsoft IIS 4.0/5.0 and Personal Web Server via Unicode-encoded '../' sequences. It attempts to execute arbitrary commands by accessing 'cmd.exe' through various paths and Unicode obfuscation techniques.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 4.0/5.0, Microsoft Personal Web Server
No auth needed
Prerequisites: Network access to vulnerable IIS server · Knowledge of target file paths
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/5377
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/1806
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/436
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A44

Scores

EPSS 0.8407
EPSS Percentile 99.3%

Details

VulnCheck KEV 2005-08-25
Status published
Products (2)
microsoft/internet_information_server 4.0
microsoft/internet_information_services 5.0
Published Dec 19, 2000
Tracked Since Feb 18, 2026