IIS 1.0 is an older version of the Internet Information Services web server software developed by Microsoft. This vulnerability allows attackers to execute arbitrary commands on a server by simply sending a malicious .bat or .cmd file through HTTP requests, exploiting IIS's command execution capabilities.
You're affected if you use Internet Information Services (IIS) version 1.0. Check with: dir iis*.exe 2>/dev/null
Note: This CVE is specific to IIS 1.0 and not related to newer versions of the software.
Upgrade to a newer version of IIS that doesn't have this vulnerability (Microsoft recommends at least IIS 5.0).
- Alternatively, disable command execution for .bat and .cmd files in IIS settings.
- For immediate mitigation: Restrict network access to your IIS instance (firewall it from the public internet).