VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 19, 1999· Updated Apr 16, 2026

CVE-1999-0412

CVE-1999-0412

Description

IIS and other NT web servers allow arbitrary code execution as SYSTEM by exploiting ISAPI extensions during initial loading.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IIS and other NT web servers allow arbitrary code execution as SYSTEM by exploiting ISAPI extensions during initial loading.

Vulnerability

IIS and potentially other NT web servers have a vulnerability that could allow arbitrary code to be run as SYSTEM. This vulnerability exists due to the way the server calls the GetExtensionVersion() function the first time an ISAPI extension is loaded. Any user able to place a CGI script in the web structure can insert code that will be run as SYSTEM during this specific window. The vulnerability affects IIS 2.0, 3.0, and 4.0 [1].

Exploitation

An attacker needs the ability to place a CGI script or an ISAPI extension (e.g., rb.dll) within the web server's structure. The attacker then invokes this extension via a browser request, such as http://your.machine.name/rb.dll?. This triggers the GetExtensionVersion() function, which can be manipulated to execute arbitrary code with SYSTEM privileges [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code as the SYSTEM user. This grants the highest level of privilege on the affected Windows NT system, potentially leading to complete compromise of the server [1].

Mitigation

No specific patch or fixed version information is available in the provided references. Users are advised to be cautious about loading ISAPI extensions from untrusted sources. The affected versions are IIS 2.0, 3.0, and 4.0 [1].

References
  1. Microsoft IIS 2.0/3.0/4.0 - ISAPI GetExtensionVersion()

AI Insight generated on Jun 6, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • Microsoft/Internet Information Server3 versions
    cpe:2.3:a:microsoft:internet_information_server:3.0:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:microsoft:internet_information_server:3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:microsoft:internet_information_server:4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:microsoft:internet_information_services:2.0:*:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.