CVE-2004-0574

Microsoft Windows NT Server <4.0-2003 - RCE

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2004-0574. PoCs published by Lucas Lavarello.

AI-analyzed exploit summary This exploit targets a heap overflow vulnerability in the IIS NNTP Service via the XPAT command. It sends a malformed 'xpat From' command with a long pattern to trigger the overflow, potentially leading to remote code execution.

Description

The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Lucas Lavarello · perldoswindows

https://www.exploit-db.com/exploits/578

View Code ZIP pw:eip

This exploit targets a heap overflow vulnerability in the IIS NNTP Service via the XPAT command. It sends a malformed 'xpat From' command with a long pattern to trigger the overflow, potentially leading to remote code execution.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft IIS NNTP Service (versions affected by CVE-2004-0574)

No auth needed

Prerequisites: Network access to the target NNTP service (port 119) · Vulnerable IIS NNTP Service

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (12)

Core 12

Core References

Third Party Advisory vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5070

Third Party Advisory vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5021

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/17641

Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq

http://marc.info/?l=bugtraq&m=109761632831563&w=2

Third Party Advisory vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4392

Broken Link third-party-advisory government-resource x_refsource_ciac

http://www.ciac.org/ciac/bulletins/p-012.shtml

Third Party Advisory vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A246

Patch, Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-036

Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/203126

Third Party Advisory vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5926

Third Party Advisory x_refsource_misc

http://www.coresecurity.com/common/showdoc.php?idx=420&idxseccion=10

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/17661

Scores

EPSS 0.6782

EPSS Percentile 99.2%

Details

CWE

CWE-787

Status published

Products (5)

microsoft/exchange_server 2000

microsoft/exchange_server 2003

microsoft/windows_2000

microsoft/windows_nt 4.0

microsoft/windows_server_2003 r2

Published Nov 03, 2004

Tracked Since Feb 18, 2026