cbcvebase.
CVE-2007-1531
published 2007-03-20

CVE-2007-1531: Microsoft Windows XP and Vista overwrites ARP table entries included in gratuitous ARP, which allows remote attackers to cause a denial of service (loss of…

PriorityP428medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
22.82%
97.4th percentile
Microsoft Windows XP and Vista overwrites ARP table entries included in gratuitous ARP, which allows remote attackers to cause a denial of service (loss of network access) by sending a gratuitous ARP for the address of the Vista host.

Detection & IOCsextracted from sources · hover to see the quote

commandARP(pdst=argv[1],op=2)
commandEther(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=a.pdst)
  • Detect gratuitous ARP packets where the sender protocol address (psrc) equals the target protocol address (pdst) — the exploit sets a.psrc=a.pdst to forge a gratuitous ARP for the victim's own IP, which triggers the Vista network stack DoS.
  • Detect ARP reply packets (op=2) broadcast to ff:ff:ff:ff:ff:ff on the local segment where the sender IP matches the target IP — this is the specific packet shape used to crash the Vista network interface.
  • Monitor for repeated ARP op=2 (reply) frames sent to the broadcast MAC ff:ff:ff:ff:ff:ff; the exploit loops every 3 seconds re-sending the forged gratuitous ARP until the victim interface stops responding.
  • Attack requires layer-2 adjacency; scope detection to the local network segment. An attacker on the same LAN segment sends the malicious ARP to cause the Vista host's NIC to stop responding.
  • ·The exploit depends on the scapy library; defenders can use this as a hunting pivot — look for scapy-generated frames (e.g. default scapy Ethernet padding/TTL artefacts) combined with gratuitous ARP patterns.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.