CVE-2001-0333

EXPLOITED

Internet Information Server < 5.0 - Directory Traversal via Double-Encoded Dot-Dot Sequences

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2001-0333 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 10 public exploits from researchers including Metasploit, HuXfLuX, Roelof, including a Metasploit module exploits/windows/iis/ms01_026_dbldecode.

AI-analyzed exploit summary This Metasploit module exploits the CGI double-decode vulnerability in Microsoft IIS/PWS to execute arbitrary commands by leveraging improper URL decoding. It copies cmd.exe to the web root and executes payloads via HTTP requests.

Description

Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.

Exploits (10)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16467

This Metasploit module exploits the CGI double-decode vulnerability in Microsoft IIS/PWS to execute arbitrary commands by leveraging improper URL decoding. It copies cmd.exe to the web root and executes payloads via HTTP requests.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS/PWS (2001 vulnerability)
No auth needed
Prerequisites: Network access to vulnerable IIS/PWS server · Target server must allow HTTP requests to /scripts/ directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by HuXfLuX · cremotewindows
https://www.exploit-db.com/exploits/20836

This exploit targets a CGI filename decode vulnerability in Microsoft IIS (CVE-2001-0333), allowing remote command execution via double-decoding of malformed filenames. The PoC sends a crafted HTTP GET request to execute arbitrary commands with IUSR_machinename privileges.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS 3.0, 4.0, 5.0
No auth needed
Prerequisites: Network access to vulnerable IIS server · Port 80 accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Roelof · textremotewindows
https://www.exploit-db.com/exploits/20842

This is a detailed writeup describing a vulnerability in IIS where a flaw in CGI filename handling allows remote command execution due to double decoding. The vulnerability is exploited by malformed filenames bypassing security checks.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS (versions not specified, but includes Personal Web Server 1.0 and 3.0)
No auth needed
Prerequisites: Access to a vulnerable IIS server · Ability to send crafted HTTP requests
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Gary O'Leary-Steele · textremotewindows
https://www.exploit-db.com/exploits/20841

The writeup describes a flaw in IIS CGI filename handling where double decoding of malformed requests can lead to arbitrary command execution with IUSR_machinename privileges. This vulnerability is exploited by the Nimda worm and affects Personal Web Server 1.0 and 3.0.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS, Personal Web Server 1.0, 3.0
No auth needed
Prerequisites: Access to a vulnerable IIS server · Ability to send crafted HTTP requests
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by A.Ramos · textremotewindows
https://www.exploit-db.com/exploits/20840

The writeup describes a vulnerability in IIS where a flaw in CGI filename handling allows remote command execution due to double decoding of malformed filenames. This bypasses security checks and executes commands with IUSR_machinename privileges.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS (versions not specified, but includes Personal Web Server 1.0 and 3.0)
No auth needed
Prerequisites: Access to a vulnerable IIS server · Ability to send crafted CGI requests
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Leif Jakob · bashremotewindows
https://www.exploit-db.com/exploits/20839

This exploit leverages a double-decoding flaw in IIS CGI handling to execute arbitrary commands via a malformed request. The script constructs a GET request with encoded traversal sequences to bypass security checks and execute `cmd.exe`.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS 4.0/5.0, Personal Web Server 1.0/3.0
No auth needed
Prerequisites: netcat installed · target running vulnerable IIS/PWS version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by MovAX · cremotewindows
https://www.exploit-db.com/exploits/20838

This exploit targets a double-decoding vulnerability in Microsoft IIS (CVE-2001-0333) to achieve remote command execution. It crafts a malformed HTTP GET request with encoded traversal sequences to bypass security checks and execute arbitrary commands via cmd.exe.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 4.0/5.0, Personal Web Server 1.0/3.0
No auth needed
Prerequisites: Network access to vulnerable IIS server · Target directory with script execution permissions
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Cyrus The Gerat · perlremotewindows
https://www.exploit-db.com/exploits/20837

This Perl script exploits CVE-2001-0333, a double-decoding flaw in IIS 4/5 CGI handling, allowing remote command execution via malformed requests. It tests for vulnerability, copies cmd.exe if needed, and executes arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 4.0/5.0, Personal Web Server 1.0/3.0
No auth needed
Prerequisites: Network access to vulnerable IIS server · Perl environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Filip Maertens · cremotewindows
https://www.exploit-db.com/exploits/20835

This exploit leverages a CGI filename decode error in Microsoft IIS to execute arbitrary commands via a malformed request. The vulnerability arises from double-decoding of the CGI filename, bypassing security checks.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS (versions affected include those running on Windows 2000 Server/Professional, Personal Web Server 1.0 and 3.0)
No auth needed
Prerequisites: Network access to the target IIS server · IIS server with vulnerable CGI handling
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by jduck · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/iis/ms01_026_dbldecode.rb

This Metasploit module exploits the CGI double-decode vulnerability in Microsoft IIS/PWS (CVE-2001-0333) to achieve remote command execution. It leverages directory traversal via encoded sequences to access cmd.exe and execute arbitrary commands or drop a payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS/PWS (2001 era, pre-MS01-026 patch)
No auth needed
Prerequisites: Target running vulnerable IIS/PWS with accessible CGI scripts directory · Network access to TCP/80
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1051
US Government Resource third-party-advisory x_refsource_cert
http://www.cert.org/advisories/CA-2001-12.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/6534
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A37
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A78
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/2708
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=98992056521300&w=2
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1018

Scores

EPSS 0.8455
EPSS Percentile 99.4%

Details

VulnCheck KEV 2001-03-18
Status published
Products (2)
microsoft/internet_information_server 4.0
microsoft/internet_information_server < 5.0
Published Jun 27, 2001
Tracked Since Feb 18, 2026