Actively exploited zero-day in IIS 6.0 affects 60,000+ servers

Microsoft Internet Information Services (IIS) 6.0 sports a zero-day vulnerability (CVE-2017-7269) that was exploited in the wild last summer and is likely also being exploited by threat actors at this very moment.

It is a buffer overflow flaw in a function in the WebDAV service in IIS 6.0 in Microsoft Windows Server 2003 R2, and can be triggered by attackers sending a overlong IF header in a PROPFIND request.


Unfortunately, the flaw won’t be patched by Microsoft, because they stopped supporting Windows Server 2003 a few years ago (IIS 6.0 was included in the OS).

Shodan shows that there are a little over 600,000 publicly accessible IIS 6.0 servers on the Internet, and most of them are probably running on Windows Server 2003. Of these, a good 10 percent has WebDAV enabled to allow for remote web authoring, meaning that there are possibly millions of websites out there exposed to this exploit.

So what can be done about CVE-2017-7269?

The risk of exploitation can be mitigated by disabling the WebDAV service on the vulnerable IIS 6.0 installation, but not all administrators will want to do it.

Mitja Kolsek, CEO of Acros Security and co-founder at 0patch, offers another solution: a micropatch that should plug the hole.

The patch is free, and its source code open for inspection (you can view it here). For it to be delivered to the vulnerable machine admins will need to download and install a copy of the company’s 0patch Agent.

More technical details about the flaw can be found in this post by Trend Micro researchers, but the most important things to know right now are as follows:

  • The flaw can be exploited remotely, and allows attackers to execute arbitrary code on a vulnerable machine
  • A proof-of-concept exploit has been published on GitHub, so it’s highly likely that it is being repurposed by attackers and will be used soon (if it’s not already)
  • The flaw affects 32-bit and 64-bit Windows Server 2003 with WebDAV functionality enabled. It doesn’t affect newer versions of IIS (7.0 or later) and newer versions of Windows Server.