cbcvebase.
CVE-2006-6723
published 2006-12-26

CVE-2006-6723: The Workstation service in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to cause a denial of service (memory consumption) via a large maxlen…

PriorityP339high7.8CVSS 2.0
AVNACLAuNCNINAC
EXPLOIT
EPSS
37.98%
98.4th percentile
The Workstation service in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to cause a denial of service (memory consumption) via a large maxlen value in an NetrWkstaUserEnum RPC request.

Detection & IOCsextracted from sources · hover to see the quote

port445
path\pipe\browser
other6bffd098-a112-3610-9833-46c3f87e345a v1.0
commandNetrWkstaUserEnum(max_len = 1024 * 1024 * 512)
  • Detect oversized NetrWkstaUserEnum RPC requests over SMB named pipe \pipe\browser — a large `max_len` field (e.g. hundreds of MB) in the RPC request body is the exploit trigger.
  • Monitor for NULL Session SMB connections (unauthenticated) to port 445 that subsequently bind to RPC UUID 6bffd098-a112-3610-9833-46c3f87e345a (Workstation service) via the browser named pipe.
  • Alert on rapid, abnormal memory growth in svchost.exe following inbound SMB/RPC activity on port 445, which is the observable symptom of successful exploitation.
  • Look for RPC opnum 2 calls on the Workstation service interface (UUID 6bffd098-a112-3610-9833-46c3f87e345a) with a `max_len` value far exceeding normal enumeration sizes.
  • ·The exploit targets only Windows 2000 SP4 and Windows XP SP2; later OS versions are not affected, so detection rules should be scoped to these legacy platforms.
  • ·The attack is a pure DoS (memory exhaustion) with no code execution; detection focus should be on availability impact rather than compromise indicators.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.