cbcvebase.
CVE-2003-0714
published 2003-11-17

CVE-2003-0714: The Internet Mail Service in Exchange Server 5.5 and Exchange 2000 allows remote attackers to cause a denial of service (memory exhaustion) by directly…

PriorityP345high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
76.39%
99.5th percentile
The Internet Mail Service in Exchange Server 5.5 and Exchange 2000 allows remote attackers to cause a denial of service (memory exhaustion) by directly connecting to the SMTP service and sending a certain extended verb request, possibly triggering a buffer overflow in Exchange 2000.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftexchange_server
microsoftexchange_server

Detection & IOCsextracted from sources · hover to see the quote

commandXEXCH50 2 2
commandXEXCH50 -1 2
commandXEXCH50 -1 2
bytes
META repeated 16384 times (heap-smashing string)
  • Detect unauthenticated XEXCH50 verb usage on SMTP port 25 — a patched server only allows XEXCH50 after NTLM authentication, so any XEXCH50 command issued before authentication is a strong indicator of exploitation attempt.
  • Alert on SMTP server response '354 Send binary data' to an unauthenticated XEXCH50 request — this confirms the server is vulnerable and actively responding to the exploit probe.
  • Detect XEXCH50 with a negative size argument (e.g., XEXCH50 -1 2) on SMTP — this is the specific trigger for the heap overwrite primitive used in both the PoC crash and the Metasploit exploit.
  • Detect XEXCH50 with an extremely large size argument (e.g., 33554432 / 32MB) on SMTP — used by the Metasploit module to pre-fill the heap with shellcode before triggering the overflow.
  • Monitor for multiple rapid SMTP reconnections (10 in quick succession with only HELO) following an XEXCH50 exchange — this reconnect sequence is used by the Metasploit module to trigger the heap corruption.
  • Flag SMTP sessions where EHLO is sent with a single random alpha character followed immediately by XEXCH50 — this is the exploit's fingerprint for the check and attack setup phases.
  • ·The exploit is highly unreliable and may require up to 100 connection attempts before achieving code execution; detection logic should account for repeated connection attempts from the same source IP.
  • ·The Metasploit module's bad character list excludes null bytes, newlines, carriage returns, spaces, colons, equals, plus signs, and double-quotes from payload encoding — payload network signatures must account for these constraints.
  • ·The exploit uses SEH-based exit function, meaning the shellcode exit method targets structured exception handlers — post-exploitation forensics should examine SEH chain manipulation in inetinfo.exe.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.