CVE-1999-0511 · IP forwarding is enabled on a machine which is not a router or firewall.

01 · The Real Story

Like finding a side gate unlocked in a fence instead of a hole blown through the wall

CVE-1999-0511 describes a host with IP forwarding enabled even though it is not intended to act as a router or firewall. NVD maps the record to Microsoft Windows NT and Windows 2000, but the underlying condition is broader: any dual-homed or multi-interface system that forwards packets can become an unintended transit point if local policy allows it.

The vendor-style CRITICAL 9.1 scoring does not match operational reality. This is usually a configuration weakness that can aid pivoting or segmentation bypass, not a turnkey unauthenticated compromise; an attacker normally needs internal position, routing influence, and a host that actually sits between useful network segments before this matters.

"This is a hardening miss, not a critical remote exploit; fix it, but don't let a 9.1 bully your patch queue."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a transit-capable host

An attacker first identifies a machine with forwarding enabled using scanner logic such as Nessus plugin 50686 or host config collection from existing access. The useful target is not just any endpoint; it needs multiple interfaces or connectivity into more than one trust zone.

Conditions required:

Attacker can scan or inventory the host
Host has forwarding enabled
Host is reachable from at least one attacker-controlled segment

Where this breaks in practice:

Most endpoints are single-homed and useless as pivots
Modern host firewalls often block transit traffic even when forwarding is enabled
Internet scanners cannot reliably infer this state from a banner

Detection/coverage: Good internal scanner coverage; poor external visibility. This is best found by authenticated config audit or local checks, not internet exposure scans.

STEP 02

Obtain a position that can use it

To weaponize the condition, the attacker needs a path to send packets through that host. Common tooling would be scapy, arpspoof, or static-route abuse after an initial foothold, but that assumes adjacency or prior compromise rather than clean unauthenticated internet reach.

Conditions required:

Internal network access, adjacent access, or a compromised host
Ability to influence routing or send packets toward the forwarding host

Where this breaks in practice:

Requires post-initial-access positioning in many enterprises
Switch protections, NAC, and segmentation reduce route manipulation opportunities
Cloud VPC routing usually prevents arbitrary transit through ordinary instances

Detection/coverage: EDR will not flag 'the CVE'; network telemetry may show unusual TTL patterns, asymmetric flows, or ARP anomalies if L2 abuse is involved.

STEP 03

Pass traffic across the unintended gateway

If forwarding is active and packet filters permit it, the host can relay traffic into a second network that the attacker could not directly reach. Tools like proxychains, socat, or raw packet generators can then use the machine as a crude pivot or path extender.

Conditions required:

Second network/interface is actually reachable from the host
Transit packets are not blocked by local firewall or upstream ACLs

Where this breaks in practice:

Forwarding alone does not guarantee NAT, return routing, or application reachability
Stateful firewalls and ACLs often stop the useful part of the pivot
Misconfigured host must sit in a place that matters

Detection/coverage: NetFlow, firewall logs, and east-west anomaly detection can catch a non-router host forwarding inter-segment traffic.

STEP 04

Use the pivot for lateral movement

The impact is typically segmentation erosion, not direct code execution from the CVE itself. Once the attacker has a working path, they still need separate exploits, credentials, or allowed protocols to compromise downstream systems.

Conditions required:

Valuable downstream assets exist behind the host
Additional access paths, creds, or exploits are available

Where this breaks in practice:

This CVE does not itself provide auth bypass or RCE
Blast radius is limited to networks the host can actually bridge
Downstream targets may still be protected by MFA, ACLs, or service hardening

Detection/coverage: Lateral movement detections remain the relevant control plane here; the forwarding setting is just an enabler.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No authoritative evidence of active exploitation found in primary sources reviewed, and it is not listed in the CISA KEV catalog.
Proof-of-concept availability	No primary-source exploit or vendor PoC identified. In practice this is usually detected by scanner checks and configuration audits, not exploited via a named one-click public exploit.
EPSS	User-supplied EPSS is 0.04827 (~4.8%), which is modest and fits the reality that this is a situational pivot aid rather than a broadly abused remote bug. EPSS should be treated as secondary here because the finding is configuration-state dependent.
KEV status	Not KEV-listed. No CISA due date pressure applies from KEV status.
CVSS vector reality check	The supplied vector `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H` models this like an easy network attack with major impact. That is too generous to the attacker: forwarding enabled is not the same thing as immediate compromise, and real exploitation usually requires prior network position plus routing conditions.
Affected versions	NVD maps affected CPEs to Windows NT and Windows 2000. By inference from the CVE description and OS networking docs, the underlying misconfiguration pattern can exist on modern Linux and Windows systems whenever packet forwarding is intentionally or accidentally enabled.
Fixed version	No patched version. This is a configuration issue: disable forwarding (`IPEnableRouter=0`, RRAS disabled, or `net.ipv4.ip_forward=0`) unless the host is intentionally acting as a router/firewall.
Scanning and exposure data	There is no meaningful Shodan/Censys-style internet exposure count for this finding because IP forwarding is not a normal banner-detectable service. You need authenticated host inspection, config management, or internal vulnerability scanning.
Disclosure timeline	Published 1997-01-01 in NVD metadata; the CVE record itself is maintained by MITRE/CVE.
Reporter / source organization	The CVE record is assigned by MITRE; no specific independent researcher is identified in the public record reviewed.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (2.4/10)

The decisive factor is attacker position requirement: this setting usually matters only after an attacker already has internal or adjacent network access and can steer traffic through the host. The reachable population is also narrow because only systems that actually bridge useful networks and permit transit turn this misconfiguration into a practical pivot.

HIGH Downgrade from vendor-style CRITICAL scoring

MEDIUM Exact blast radius in any one environment depends on host placement and local firewall policy

Why this verdict

Not a direct compromise primitive: Starting from the supplied 9.1 baseline, this drops hard because the finding does not itself give RCE, auth bypass, or data access; it mainly enables packet transit.
Requires internal or adjacent positioning: To exploit it in the real world, the attacker usually needs post-initial-access network presence or routing influence, which is a major downward pressure on severity.
Exposure population is narrow: Only hosts with forwarding enabled *and* useful multi-network placement *and* permissive filtering matter, which is a small subset of enterprise endpoints.
Modern controls should disrupt the chain: Host firewalls, NAC, segmentation, cloud route controls, and east-west monitoring all add friction before this becomes a meaningful pivot.
No KEV / no strong exploitation signal: There is no authoritative evidence here that defenders should treat this like an actively weaponized internet-scale bug.

Why not higher?

It is not HIGH or CRITICAL because the attack chain assumes too much: internal adjacency, a transit-capable host, routing influence, and downstream targets that remain reachable through that path. A 9.1-style score treats the configuration like a direct network exploit, which badly overstates both reachability and immediate impact.

Why not lower?

It is not IGNORE because an unintended forwarding host can still collapse segmentation and quietly help lateral movement, especially on admin servers, legacy multi-homed boxes, or poorly understood cloud instances. If you find it on a host straddling sensitive zones, the local business risk can exceed the generic score even though the global CVE deserves a downgrade.

05 · Compensating Control

What to do — in priority order.

Audit forwarding state — Identify systems with IPEnableRouter=1, RRAS enabled, or Linux net.ipv4.ip_forward=1, and confirm they are intentional routers/firewalls. For a LOW verdict there is no mitigation SLA; handle it as backlog hygiene in the next hardening cycle, but do not leave ownership ambiguous.
Restrict east-west transit — Use host firewall rules and upstream ACLs so ordinary servers and workstations cannot relay traffic between segments even if forwarding gets enabled. Treat this as configuration hygiene with no SLA for LOW, but prioritize any dual-homed server sitting between user and management networks.
Flag multi-homed exceptions — Maintain an allowlist for legitimate routers, VPN concentrators, firewalls, and RRAS systems so the rest can be auto-remediated or escalated. For LOW, there is no formal mitigation deadline, but exception drift should be reviewed during routine network-hardening operations.

What doesn't work

Relying on perimeter internet exposure scans alone does not help, because this is not a banner-level condition they can reliably see.
EDR alone does not 'fix' the issue; it may catch later pivot behavior, but it will not stop a host from being transit-capable if the network stack and firewall permit it.
Treating every instance as an emergency patch event wastes time, because there is usually no software patch and the risk depends heavily on host placement.

06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host in a PowerShell session. Example: powershell.exe -ExecutionPolicy Bypass -File .\check-cve-1999-0511.ps1; standard user rights are usually enough to read the registry and service state, though admin rights help if local policy is restrictive.

noisgate-verify.ps1

POWERSHELLREAD-ONLYSAFE

# check-cve-1999-0511.ps1

# Purpose: Detect whether unintended IP forwarding is enabled on a Windows host.

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'Stop'

function Write-Result {
    param(
        [string]$Status,
        [string]$Reason,
        [int]$Code
    )
    Write-Output ("{0}: {1}" -f $Status, $Reason)
    exit $Code
}

try {
    $regPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'
    $ipEnableRouter = $null

    try {
        $reg = Get-ItemProperty -Path $regPath -Name IPEnableRouter -ErrorAction Stop
        $ipEnableRouter = [int]$reg.IPEnableRouter
    }
    catch {
        # Missing value usually means disabled / not configured on many systems.

        $ipEnableRouter = 0
    }

    $remoteAccess = Get-Service -Name RemoteAccess -ErrorAction SilentlyContinue
    $serviceStatus = if ($remoteAccess) { $remoteAccess.Status.ToString() } else { 'NotPresent' }
    $serviceStartType = if ($remoteAccess) { (Get-CimInstance Win32_Service -Filter "Name='RemoteAccess'").StartMode } else { 'NotPresent' }

    # Modern Windows can also expose per-interface forwarding state.

    $forwardingEnabled = @()
    try {
        $cmd = Get-Command Get-NetIPInterface -ErrorAction SilentlyContinue
        if ($cmd) {
            $forwardingEnabled = Get-NetIPInterface -AddressFamily IPv4 -ErrorAction Stop | Where-Object { $_.Forwarding -eq 'Enabled' }
        }
    }
    catch {
        $forwardingEnabled = @()
    }

    if ($ipEnableRouter -eq 1) {
        Write-Result -Status 'VULNERABLE' -Reason 'Registry value IPEnableRouter=1' -Code 1
    }

    if ($serviceStatus -eq 'Running') {
        Write-Result -Status 'VULNERABLE' -Reason 'RemoteAccess (RRAS) service is running' -Code 1
    }

    if ($forwardingEnabled.Count -gt 0) {
        $names = ($forwardingEnabled | Select-Object -ExpandProperty InterfaceAlias -Unique) -join ', '
        Write-Result -Status 'VULNERABLE' -Reason ("IPv4 forwarding enabled on interface(s): {0}" -f $names) -Code 1
    }

    if ($serviceStatus -eq 'NotPresent') {
        Write-Result -Status 'PATCHED' -Reason 'IPEnableRouter disabled/missing and no forwarding-enabled interfaces detected' -Code 0
    }

    if (($ipEnableRouter -eq 0) -and ($serviceStatus -ne 'Running')) {
        Write-Result -Status 'PATCHED' -Reason ("IPEnableRouter disabled/missing; RemoteAccess status={0}, start mode={1}" -f $serviceStatus, $serviceStartType) -Code 0
    }

    Write-Result -Status 'UNKNOWN' -Reason 'Unable to determine effective forwarding state conclusively' -Code 2
}
catch {
    Write-Result -Status 'UNKNOWN' -Reason $_.Exception.Message -Code 2
}

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not let this sit in the same lane as internet-facing RCEs. Use config management or authenticated scanning to inventory which hosts have forwarding enabled, validate legitimate routers/VPN/RRAS boxes, and disable it everywhere else during the next normal hardening cycle; for a LOW verdict there is no noisgate mitigation SLA and no noisgate remediation SLA beyond backlog hygiene, unless you discover the host is actually bridging sensitive zones, in which case escalate locally as a segmentation issue.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.