cbcvebase.
CVE-2000-1209
published 2002-08-12

CVE-2000-1209: The "sa" account is installed with a default null password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including…

PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
87.31%
99.7th percentile
The "sa" account is installed with a default null password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including third party packages that use these products such as (4) Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager, and (6) Visio 2000, which allows remote attackers to gain privileges, as exploited by worms such as Voyager Alpha Force and Spida.

Affected

9 ranges
VendorProductVersion rangeFixed in
compaqinsight_manager
compaqinsight_manager_xe
compaqinsight_manager_xe
compaqinsight_manager_xe
compaqinsight_manager_xe
compaqinsight_manager_xe
compaqinsight_manager_xe
microsoftdata_engine
microsoftmsde

Detection & IOCsextracted from sources · hover to see the quote

port1433
commandxp_cmdshell
snort
alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login unicode attempt"; flow:established,to_client; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103273; rev:5; metadata:created_at 2010_09_23, cve CVE_2000_1209, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
snort
alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:established,to_client; content:"Login failed for user 'sa'"; offset:83; reference:bugtraq,4797; reference:cve,2000-1209; classtype:attempted-user; sid:2100680; rev:11; metadata:created_at 2010_09_23, cve CVE_2000_1209, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
bytes
L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|
bytes
Login failed for user 'sa'
  • Monitor for repeated 'sa' login failures from external sources on TCP/1433 — the Snort rule triggers on 5 failures within 2 seconds from the same source, indicative of brute-force attempts against the blank default 'sa' password.
  • Detect 'sa' login failure strings in unicode (UTF-16LE) encoding on TCP/1433 traffic, as used by worms such as Voyager Alpha Force and Spida exploiting the blank 'sa' password.
  • Alert on 'sa' login failure strings on TCP/139 (NetBIOS) at byte offset 83, indicating exploitation attempts via SMB-adjacent SQL Server named pipes.
  • Detect use of xp_cmdshell in SQL traffic or web requests, as exploitation of the blank 'sa' password commonly leads to OS command execution via this stored procedure.
  • Watch for SQL injection patterns of the form ';exec xp_cmdshell '...';-- in HTTP GET parameters, as used by the SQLi-based exploitation module.
  • Third-party products bundling vulnerable MSSQL/MSDE instances (Tumbleweed Secure Mail, Compaq Insight Manager, Visio 2000) should be audited for the blank 'sa' password, as they inherit the vulnerability.
  • ·The Snort rule for TCP/1433 unicode detection (sid:2103273) uses a threshold of 5 events in 2 seconds tracked by source IP; tuning may be needed in environments with high legitimate authentication failure rates to avoid false positives.
  • ·The Snort rule for TCP/139 (sid:2100680) relies on a fixed byte offset of 83 for the 'Login failed for user sa' string; changes in SQL Server response framing may cause missed detections.
  • ·The Metasploit exploit module leaves a payload executable on the target system after the attack completes, which can serve as a forensic artifact during incident response.
  • ·The debug.exe delivery method (old) invokes ntvdm and is not available on x86_64 systems; attackers on 64-bit targets will use PowerShell or Command Stager methods instead.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.