CVE-2010-1899

Internet Information Services 5.1-7.5 - Denial of Service via Crafted ASP Request

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2010-1899. PoCs published by kingcope, erickrr-bd, including Metasploit module auxiliary/dos/windows/http/ms10_065_ii6_asp_dos.

AI-analyzed exploit summary This exploit targets a stack exhaustion vulnerability in Microsoft IIS 6.0 by sending a POST request with over 40,000 parameters, causing the IIS worker process to crash and leading to a denial of service (DoS). The PoC is written in Perl and demonstrates the attack by repeatedly sending malformed requests to an ASP page.

Description

Stack consumption vulnerability in the ASP implementation in Microsoft Internet Information Services (IIS) 5.1, 6.0, 7.0, and 7.5 allows remote attackers to cause a denial of service (daemon outage) via a crafted request, related to asp.dll, aka "IIS Repeated Parameter Request Denial of Service Vulnerability."

Exploits (3)

exploitdb WORKING POC VERIFIED
by kingcope · textdoswindows
https://www.exploit-db.com/exploits/15167

This exploit targets a stack exhaustion vulnerability in Microsoft IIS 6.0 by sending a POST request with over 40,000 parameters, causing the IIS worker process to crash and leading to a denial of service (DoS). The PoC is written in Perl and demonstrates the attack by repeatedly sending malformed requests to an ASP page.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS 6.0
No auth needed
Prerequisites: Active Server Pages (ASP) enabled on the target IIS server · An ASP script that reads POST form values · Unpatched Windows Server 2003 SP2 or earlier
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by erickrr-bd · pythonpoc
https://github.com/erickrr-bd/PoC-CVE/tree/master/CVE-2010-1899

This PoC demonstrates a DoS vulnerability in ASP by sending a large number of parameters in a POST request, causing resource exhaustion. The script iteratively increases the parameter count to test the target's resilience.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: ASP (Active Server Pages)
No auth needed
Prerequisites: Vulnerable ASP application endpoint
devstral-2 · analyzed May 19, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/http/ms10_065_ii6_asp_dos.rb

This Metasploit module exploits a stack exhaustion vulnerability in Microsoft IIS 6.0 by sending a large POST request with a repeated parameter, causing the server to become unresponsive. The exploit targets the handling of ASP scripts reading POST form values.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS 6.0
No auth needed
Prerequisites: Active Server Pages (ASP) enabled on the target IIS server · A vulnerable ASP script that reads POST form values
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7127

Scores

EPSS 0.8596
EPSS Percentile 99.4%

Details

CWE
CWE-119
Status published
Products (2)
microsoft/internet_information_server 6.0
microsoft/internet_information_services 7.5
Published Sep 15, 2010
Tracked Since Feb 18, 2026