cbcvebase.
CVE-2001-0333
published 2001-06-27

CVE-2001-0333: Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters…

PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
90.77%
99.8th percentile
Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftinternet_information_server<= 5.0
microsoftinternet_information_server

Detection & IOCsextracted from sources · hover to see the quote

url/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+
urlGET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+ver HTTP/1.0
path/scripts/..%255c..%255cwinnt/system32/cmd.exe
pathC:\inetpub\scripts\
commandcopy \winnt\system32\cmd.exe <random>.exe
  • Detect double-encoded dot-dot-slash traversal sequences in HTTP request URIs targeting /scripts/ directory; key patterns include %255c, %%35c, %%35%63, %25%35%63, %252e, %%32%65, %25%32%65
  • Alert on HTTP GET requests to /scripts/ containing double-encoded traversal sequences followed by cmd.exe, indicative of CVE-2001-0333 exploitation
  • The Nimda worm and its variants actively exploit this vulnerability; correlate IIS exploitation attempts with known Nimda indicators
  • Arbitrary commands execute under the IUSR_machinename account; monitor for unexpected process spawning (e.g., cmd.exe) from IIS worker processes under this account
  • Monitor IIS scripts directory for unexpected .exe files dropped by attackers (e.g., randomly named executables copied from cmd.exe or Metasploit payloads)
  • Detect attrib.exe invocations removing read-only/hidden/system flags on files within C:\inetpub\scripts\ as a post-exploitation cleanup indicator
  • ·Various double-encoding combinations may yield different outcomes depending on Windows version and locale; detection rules must cover all documented encoding variants
  • ·The Metasploit module targets port 80 by default but the RPORT option is configurable; detection should not be limited to port 80 alone

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.