cbcvebase.
CVE-1999-0504
published 1997-01-01

CVE-1999-0504: A Windows NT local user or administrator account has a default, null, blank, or missing password.

PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
63.70%
99.1th percentile
A Windows NT local user or administrator account has a default, null, blank, or missing password.

Detection & IOCsextracted from sources · hover to see the quote

port445/tcp
port135/tcp
port47001/tcp
pathADMIN$\<random8>.exe
commandWMIC (remote WMI RPC execution via TCP 135)
  • Detect SMB authentication attempts using null, blank, or missing passwords against Windows NT/XP accounts, particularly for the Administrator account over TCP 445.
  • Alert on creation of randomly named Windows services (8 random alpha characters) with interactive/own-process type (0x00000110) and demand start (0x00000003) via DCE/RPC CreateServiceW (opcode 0x0c), especially when the binary path points to %SYSTEMROOT%.
  • Monitor for executable files with random 8-character alpha names uploaded to the ADMIN$ share, followed by service creation and rapid deletion — a hallmark of PsExec-style exploitation.
  • Monitor for WMI-based lateral movement (WMIC remote command execution) originating from a session context without explicit credential supply, using TCP 135 and ephemeral high ports.
  • Detect PowerShell Remoting (WinRM) connections on TCP 47001 used to inject payloads, especially when initiated from a compromised host to multiple RHOSTS.
  • Detect SMB credential reporting patterns where SMBPass matches the pattern of an NTLM hash (32hex:32hex), indicating pass-the-hash exploitation leveraging null/default credentials.
  • ·Windows XP systems not joined to a domain default to treating all network logons as Guest, limiting the impact of null-password exploitation over SMB — verify domain membership before assuming full admin access.
  • ·The PsExec-style exploit cannot fully clean up in all variants — the service and payload file may persist on disk and require manual removal, leaving forensic artifacts.
  • ·The WMI-based execution module requires the remote host to be explicitly configured to allow remote WMI — not all Windows hosts will be vulnerable by default.
  • ·The service created by the PsExec exploit uses a randomly chosen name and description each run, meaning repeated exploitation will clutter the services list with orphaned entries.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.