VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 7, 1999· Updated Apr 16, 2026

CVE-1999-1537

CVE-1999-1537

Description

IIS 3.x and 4.x does not distinguish between pages requiring encryption and those that do not, which allows remote attackers to cause a denial of service (resource exhaustion) via SSL requests to the HTTPS port for normally unencrypted files, which will cause IIS to perform extra work to send the files over SSL.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IIS 3.x and 4.x allow denial of service via SSL requests to unencrypted pages, overwhelming CPU resources.

Vulnerability

IIS 3.x and 4.x do not distinguish between pages requiring encryption and those that do not. This allows remote attackers to request any page (including large ones with graphics) over HTTPS, causing excessive CPU usage due to SSL processing overhead [1].

Exploitation

A remote attacker with network access can use load generators to send repeated HTTPS requests to the IIS server for normally unencrypted pages. No authentication is required. The server will perform SSL handshakes and encrypt the responses, consuming significantly more CPU than a normal HTTP request [1].

Impact

Successful exploitation leads to CPU resource exhaustion, causing a denial of service where the server becomes unresponsive to legitimate requests. The attack can take down the web server [1].

Mitigation

No patch is mentioned in the reference. As a workaround, separate secure pages to a dedicated server or restrict SSL access via firewall. Since IIS 3.x and 4.x are end-of-life, upgrading to a supported version is recommended [1].

References
  1. 'SSL and IIS.' - MARC

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • Microsoft/Internet Information Server2 versions
    cpe:2.3:a:microsoft:internet_information_server:3.0:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:microsoft:internet_information_server:3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:microsoft:internet_information_server:4.0:*:*:*:*:*:*:*
  • Microsoft/IISllm-fuzzy
    Range: 3.x, 4.x

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.