cbcvebase.
CVE-2006-0003
published 2006-04-12

CVE-2006-0003: Unspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access…

PriorityP271medium5.1CVSS 2.0
AVNACHAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
82.50%
99.6th percentile
Unspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors.

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftdata_access_components
microsoftdata_access_components
microsoftdata_access_components

Detection & IOCsextracted from sources · hover to see the quote

otherclsid:BD96C556-65A3-11D0-983A-00C04FC29E36
otherclsid:BD96C556-65A3-11D0-983A-00C04FC29E30
filenamemetasploit.exe
  • Detect instantiation of the vulnerable RDS.DataSpace / RDS.DataControl ActiveX CLSID {BD96C556-65A3-11D0-983A-00C04FC29E36} via HTML object tag or script in Internet Explorer
  • Monitor for ADODB.Stream objects being created via a vulnerable ActiveX broker (df.CreateObject) followed by SaveToFile calls writing executables to the TEMP directory
  • Alert on exploit kit traffic delivering MS06-014 payloads; iPack crimeware kit is known to bundle this CVE alongside PDF exploits targeting Windows platforms
  • Detect use of WScript.Shell and Shell.Application objects spawned through the RDS.DataSpace ActiveX broker, which is the execution chain used by exploit code for this CVE
  • Flag HTTP responses serving application/octet-stream payloads to IE6 clients (ua_maxver 6.1) immediately after delivery of HTML pages referencing the vulnerable CLSIDs
  • ·A second variant CLSID {BD96C556-65A3-11D0-983A-00C04FC29E30} (last octet 30 vs 36) was found in the wild in the mpack exploit kit and should be included in detection rules alongside the primary CLSID
  • ·Affected MDAC versions are 2.7 and 2.8; the vulnerability resides specifically in the RDS.Dataspace ActiveX control contained within ADO/MDAC

CVSS provenance

nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
vulncheck5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.