CVE-2004-0549

EXPLOITED

Internet Explorer 6 - Remote Code Execution via showModalDialog Location Manipulation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2004-0549 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Ferruh Mavituna.

AI-analyzed exploit summary This exploit leverages a vulnerability in Internet Explorer (CVE-2004-0549) to execute arbitrary code via a crafted HTML page. It uses a combination of JavaScript, VBScript, and ActiveX to download and execute a malicious payload (bad.exe) from a remote share.

Description

The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Ferruh Mavituna · textremotewindows
https://www.exploit-db.com/exploits/316

This exploit leverages a vulnerability in Internet Explorer (CVE-2004-0549) to execute arbitrary code via a crafted HTML page. It uses a combination of JavaScript, VBScript, and ActiveX to download and execute a malicious payload (bad.exe) from a remote share.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer (versions affected by CVE-2004-0549)
No auth needed
Prerequisites: Victim must visit a malicious webpage · Remote share (IPADDRESS) must be accessible · ActiveX must be enabled in the target's browser
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (16)

Core 16
Core References
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA04-184A.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/16348
Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA04-163A.html
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA04-212A.html
Various Sources x_refsource_misc
http://62.131.86.111/analysis.htm
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A207
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1133
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/713878
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=108786396622284&w=2
Third Party Advisory mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0031.html
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=108852642021426&w=2
Third Party Advisory mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0104.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A519
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A241

Scores

EPSS 0.6905
EPSS Percentile 98.7%

Details

VulnCheck KEV 2004-07-30
Status published
Products (4)
microsoft/internet_explorer
microsoft/internet_explorer 5.01
microsoft/internet_explorer 5.5
microsoft/internet_explorer 6.0
Published Aug 06, 2004
Tracked Since Feb 18, 2026