CVE-2001-0876

Windows 98, 98SE, ME, and XP - Remote Code Execution via UPnP NOTIFY Location URL

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2001-0876. PoCs published by JOCANOR, Gabriel Maggiotti.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in the UPnP service on Windows XP (CVE-2001-0876) by sending a crafted NOTIFY directive to overwrite memory and execute a bind shell on port 1981. The exploit uses a combination of NOP sleds, a jump code, and shellcode to achieve remote code execution.

Description

Buffer overflow in Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP allows remote attackers to execute arbitrary code via a NOTIFY directive with a long Location URL.

Exploits (2)

exploitdb WORKING POC VERIFIED
by JOCANOR · cremotewindows
https://www.exploit-db.com/exploits/21189

This exploit targets a buffer overflow vulnerability in the UPnP service on Windows XP (CVE-2001-0876) by sending a crafted NOTIFY directive to overwrite memory and execute a bind shell on port 1981. The exploit uses a combination of NOP sleds, a jump code, and shellcode to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows XP (UPnP service)
No auth needed
Prerequisites: Network access to the target's UPnP service (port 5000 or 445) · Target running Windows XP with UPnP enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Gabriel Maggiotti · cremotewindows
https://www.exploit-db.com/exploits/21188

This exploit targets a buffer overflow vulnerability in the Universal Plug and Play (UPnP) service on Windows ME and XP. It can cause a denial-of-service (DoS) or execute arbitrary code by sending a maliciously crafted NOTIFY directive with excessive length in the IP address, port, and filename components.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows ME/XP UPnP service
No auth needed
Prerequisites: Network access to the target's UPnP service (port 5000)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory, US Government Resource third-party-advisory government-resource x_refsource_ciac
http://www.ciac.org/ciac/bulletins/m-030.shtml
Mailing List mailing-list x_refsource_ntbugtraq
http://marc.info/?l=ntbugtraq&m=100887271006313&w=2
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=100887440810532&w=2
Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.cert.org/advisories/CA-2001-37.html
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/951555
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/7721
Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/3723

Scores

EPSS 0.4948
EPSS Percentile 98.7%

Details

Status published
Products (4)
microsoft/windows_98
microsoft/windows_98se
microsoft/windows_me
microsoft/windows_xp
Published Dec 20, 2001
Tracked Since Feb 18, 2026