CVE-2003-0352

EXPLOITED

Microsoft Windows - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2003-0352 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Metasploit, ey4s, [email protected], including a Metasploit module exploits/windows/dcerpc/ms03_026_dcom.

AI-analyzed exploit summary This is a Metasploit module exploiting CVE-2003-0352, a stack buffer overflow in the RPCSS service (MS03-026). It targets multiple Windows versions (NT 4.0 SP3-6a, 2000, XP, 2003) via a crafted DCE/RPC request to achieve remote code execution.

Description

Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16749

This is a Metasploit module exploiting CVE-2003-0352, a stack buffer overflow in the RPCSS service (MS03-026). It targets multiple Windows versions (NT 4.0 SP3-6a, 2000, XP, 2003) via a crafted DCE/RPC request to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows RPCSS Service (DCOM)
No auth needed
Prerequisites: Network access to target's DCE/RPC endpoint (port 135)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by ey4s · cremotewindows
https://www.exploit-db.com/exploits/100

This exploit targets CVE-2003-0352, a buffer overflow vulnerability in Microsoft Windows DCOM RPC interface. It constructs a malicious RPC request to trigger the overflow and execute arbitrary shellcode, potentially leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows DCOM RPC (affects Windows XP, Windows 2000, etc.)
No auth needed
Prerequisites: Network access to vulnerable DCOM RPC interface · Target system must be unpatched
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by [email protected] · textremotewindows
https://www.exploit-db.com/exploits/22917

The provided text describes CVE-2003-0352, a buffer overflow vulnerability in Microsoft Windows DCOM RPC interface on port 135. Exploitation could lead to remote code execution with Local System privileges. The text references a GitLab link for the exploit but does not contain actual exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (various versions, including unconfirmed reports for Windows 9x with .NET)
No auth needed
Prerequisites: Network access to TCP/UDP port 135 (or other RPC Endpoint Mapper ports) · Vulnerable Microsoft Windows system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by hdm, spoonm, cazz · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/dcerpc/ms03_026_dcom.rb

This Metasploit module exploits a stack buffer overflow in the RPCSS service (CVE-2003-0352) via a crafted DCOM RPC request. It supports multiple Windows versions (NT 4.0 SP3-6a, 2000, XP, 2003) with a universal payload and includes detailed memory corruption techniques.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows RPCSS Service (DCOM)
No auth needed
Prerequisites: Network access to target · DCOM/RPC service exposed
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (14)

Core 14
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/12629
US Government Resource third-party-advisory x_refsource_cert
http://www.cert.org/advisories/CA-2003-16.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A296
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/8205
Mailing List mailing-list x_refsource_fulldisc
http://lists.grok.org.uk/pipermail/full-disclosure/2003-July/007357.html
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=105914789527294&w=2
Mailing List mailing-list x_refsource_fulldisc
http://lists.grok.org.uk/pipermail/full-disclosure/2003-July/007079.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A194
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/568148
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=105838687731618&w=2
US Government Resource third-party-advisory x_refsource_cert
http://www.cert.org/advisories/CA-2003-19.html
Various Sources x_refsource_misc
http://www.xfocus.org/documents/200307/2.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2343

Scores

EPSS 0.9114
EPSS Percentile 99.7%

Details

VulnCheck KEV 2007-09-07
Status published
Products (8)
microsoft/windows_2000 (5 CPE variants)
microsoft/windows_2003_server enterprise
microsoft/windows_2003_server enterprise_64-bit
microsoft/windows_2003_server r2 (2 CPE variants)
microsoft/windows_2003_server standard
microsoft/windows_2003_server web
microsoft/windows_nt 4.0 (32 CPE variants)
microsoft/windows_xp (5 CPE variants)
Published Aug 18, 2003
Tracked Since Feb 18, 2026