CVE-2003-0496

Microsoft SQL Server <Windows 2000 SP4 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2003-0496. PoCs published by Maceo.

AI-analyzed exploit summary This exploit leverages CVE-2003-0496, a named pipe impersonation vulnerability in Microsoft Windows, to escalate privileges to SYSTEM. It creates a named pipe, waits for a connection, impersonates the client, duplicates the token, and spawns a process with elevated privileges.

Description

Microsoft SQL Server before Windows 2000 SP4 allows local users to gain privileges as the SQL Server user by calling the xp_fileexist extended stored procedure with a named pipe as an argument instead of a normal file.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Maceo · clocalwindows
https://www.exploit-db.com/exploits/22883

This exploit leverages CVE-2003-0496, a named pipe impersonation vulnerability in Microsoft Windows, to escalate privileges to SYSTEM. It creates a named pipe, waits for a connection, impersonates the client, duplicates the token, and spawns a process with elevated privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (pre-patch for CVE-2003-0496)
No auth needed
Prerequisites: Local access to the target system · Named pipe access
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Maceo · clocalwindows
https://www.exploit-db.com/exploits/22882

This exploit leverages a named pipe impersonation vulnerability (CVE-2003-0496) in Microsoft Windows to escalate privileges to SYSTEM. It creates a named pipe, waits for a connection, and impersonates the client (typically a high-privilege process like SCM) to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (pre-patch for CVE-2003-0496)
No auth needed
Prerequisites: Local access to the target system · Ability to create named pipes
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4
Core References
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=105820282607865&w=2
Exploit, Patch, Vendor Advisory vendor-advisory x_refsource_atstake
http://www.atstake.com/research/advisories/2003/a070803-1.txt
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=105830986720243&w=2
Patch, Vendor Advisory mailing-list x_refsource_vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0013.html

Scores

EPSS 0.0486
EPSS Percentile 90.9%

Details

Status published
Products (2)
microsoft/windows_2000 (4 CPE variants)
microsoft/windows_2000_terminal_services (4 CPE variants)
Published Aug 18, 2003
Tracked Since Feb 18, 2026