← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:64589 · Disclosed 2007-05-22

Microsoft ASP

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is less a front-door master key than a rusty side gate that only fits a 2003-era building

The underlying issue is CVE-2007-2897: sending a request like /AUX/.aspx to Microsoft IIS 6.0 can trip ASP.NET into a temporary denial-of-service condition by abusing reserved MS-DOS device names. In practice, the real affected population is old IIS 6.0 deployments—typically Windows Server 2003-era systems running ASP.NET 1.1—while Tenable plugin 64589 is intentionally broad and, in PCI mode, reports ASP.NET 1.1 or even undetermined ASP.NET with manual verification required.

Tenable's MEDIUM is still generous for patch-prioritization purposes. NVD's old CVSS v2 7.5 is inflated by speculative claims around COM-port data access and even physical-access code execution; Tenable itself says its researchers concluded this is DoS only. That leaves you with a narrow, legacy, externally reachable, unauthenticated nuisance on a platform that should already be in retirement—not something that deserves urgent enterprise-wide patch motion.

"This is a 2007-era, DoS-only edge case on IIS 6.0/ASP.NET 1.1—not a modern patch emergency."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find an actually exposed legacy target

The attacker first needs a web server that is really IIS 6.0-era ASP.NET, not just anything that answers with X-Powered-By: ASP.NET. The common workflow is banner identification with a scanner such as Nessus or a quick manual probe, then narrowing to systems likely to be Windows Server 2003 / IIS 6.0. Reference: Tenable plugin 64589 and Microsoft's IIS 6.0 / ASP.NET 1.1 documentation.
Conditions required:
  • Internet-reachable HTTP/HTTPS service
  • Server is actually IIS 6.0-era ASP.NET, not a newer stack misdetected by the plugin
Where this breaks in practice:
  • Tenable says the check is PCI-only and requires manual verification
  • Plugin can over-report when it cannot determine the ASP.NET version
  • Most enterprises no longer run legitimate IIS 6.0 / ASP.NET 1.1 on production internet edges
Detection/coverage: Scanner coverage is noisy rather than precise here. Nessus detects probable exposure, but confirmation requires host-side version checks.
STEP 02

Send a reserved device-name request

Using a browser, curl, or the original kingcope Perl proof-of-concept, the attacker requests a path containing a DOS device name such as /AUX/.aspx. The issue depends on how IIS 6.0 and ASP.NET process these device-like path elements and can produce runtime errors or slow responses.
Conditions required:
  • Target accepts crafted URI paths
  • Application path reaches the vulnerable request handling path
Where this breaks in practice:
  • Request filtering, reverse proxies, WAFs, or custom URL normalization can stop the path before IIS sees it
  • Some servers only show the behavior intermittently or under load
Detection/coverage: WAFs, reverse proxies, and web logs can often spot literal requests for AUX, COM1, LPT1, NUL, or related reserved names.
STEP 03

Parallelize the requests into a transient DoS

The original public PoC used multiple parallel GETs to push the server into instability and temporary unresponsiveness. This is not a memory-corruption RCE chain; it is a repeatable resource-disruption pattern that gets worse when the site is already fragile or lightly provisioned.
Conditions required:
  • Attacker can generate sustained concurrent HTTP requests
  • Target is susceptible to the slowdown condition
Where this breaks in practice:
  • Rate limits, CDN shielding, reverse proxies, and even basic load balancers reduce impact
  • The attacker still only gets availability disruption, not durable control of the host
Detection/coverage: Network and WAF telemetry should show bursts of identical path requests. Generic DoS detection has better odds here than signature-grade exploit detection.
STEP 04

Cause service instability, not strategic compromise

Best-case attacker outcome is a temporary outage or app-pool instability on the targeted site. The older narrative about reading device traffic or physical-port-assisted code execution is theoretically interesting but operationally irrelevant for enterprise patch triage.
Conditions required:
  • Target remains reachable during the request burst
  • Service is single-point-of-failure enough for temporary disruption to matter
Where this breaks in practice:
  • No credible modern evidence of this being used as an intrusion foothold
  • Physical COM-port access is a different threat model entirely and not part of normal remote exploitation
Detection/coverage: Availability monitoring and IIS error logs are more useful than endpoint exploit alerts for confirming impact.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo current evidence of active exploitation located. CVE-2007-2897 does not appear in CISA's KEV catalog.
Proof-of-concept availabilityYes, but ancient and low-grade. Public PoC was posted by kingcope on Full Disclosure on 2007-05-22 using a simple threaded Perl DoS script.
EPSS0.53862 (53.862%), 98.011 percentile on the CIRCL/FIRST mirror snapshot dated 2026-04-23. *Inference:* this looks overstated for today's reality and is likely distorted by legacy CVE metadata rather than fresh attacker demand.
KEV statusNot KEV-listed. No CISA KEV due date or federal remediation urgency signal.
CVSS reality checkNVD still shows old CVSS v2 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), but Tenable explicitly says its researchers reassessed it as DoS only and uses CVSS v2 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P).
Affected versionsReal risk is legacy IIS 6.0 / Windows Server 2003-era ASP.NET. Tenable says the plugin reports all ASP.NET 1.1 servers, and if versioning fails, all ASP.NET servers, so scanner hits are not equal to confirmed exposure.
Fixed versionsNo vendor patch identified. Tenable's recommended control is a compensating measure: use an ISAPI filter to block DOS device-name URLs.
Exposure dataBitsight's Groma page shows 87,439 total observations of Microsoft IIS 6.0 over the prior 30 days, including 28,533 in the US. That is non-zero exposure, but it is still a shrinking legacy island, not a mainstream enterprise platform.
Disclosure timelinePublic discussion began 2007-05-22 on Full Disclosure; the CVE was published 2007-05-30.
Reporting / researchOriginal report credited to kingcope; Full Disclosure follow-up by 3APA3A added the COM/LPT device-angle speculation that likely inflated early severity interpretation.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (2.8/10)

The decisive factor is platform and exposure narrowing: this is meaningfully relevant only to old IIS 6.0 / ASP.NET 1.1-era deployments, and even the Tenable check admits manual verification is required. Once you strip away the speculative COM-port narrative, what remains is an unauthenticated temporary DoS on a shrinking legacy population, not a modern compromise path.

HIGH This is not a high-priority enterprise patch item
MEDIUM Exact affected application combinations behind each Tenable hit

Why this verdict

  • Vendor baseline drops immediately: Tenable itself says its researchers concluded this is DoS only, which undercuts the older NVD 7.5 story.
  • Reachable population is narrow: real exposure requires IIS 6.0 / Windows Server 2003-era ASP.NET, not generic modern ASP.NET on current IIS.
  • Scanner confidence is limited: plugin 64589 runs for PCI checks and explicitly says manual verification is required, so raw hit counts will include false positives and version ambiguity.
  • Attacker value is low: the chain gives temporary service disruption, not a practical remote foothold for lateral movement or privilege gain.
  • Modern controls add friction: reverse proxies, request filtering, WAF normalization, and rate limiting all make the original 2007 path less reliable today.

Why not higher?

This does not deserve MEDIUM or above because the business impact is mostly bounded to availability, and even that requires a very specific, obsolete deployment profile. There is no strong present-day exploitation evidence, no KEV listing, and no compelling reason to treat speculative physical-port side effects as a real remote enterprise risk amplifier.

Why not lower?

I did not mark it IGNORE because the underlying behavior is real and unauthenticated remote abuse is possible on genuinely exposed IIS 6.0 systems. If you still have an internet-facing Windows Server 2003 / IIS 6.0 application, a nuisance DoS against a legacy revenue path can still hurt you operationally.

05 · Compensating Control

What to do — in priority order.

  1. Validate every Nessus hit — Confirm whether the host is actually IIS 6.0 with ASP.NET 1.1 or another legacy ASP.NET path before opening patch tickets. For a LOW verdict there is no mitigation SLA; treat validation as backlog hygiene and close false positives aggressively.
  2. Block reserved DOS device names — At the edge proxy, WAF, or IIS layer, deny requests containing reserved names such as AUX, CON, PRN, NUL, COM1-COM9, and LPT1-LPT9 in path segments. Tenable specifically recommends an ISAPI filter; for a LOW verdict, implement as normal backlog hygiene unless the server is internet-facing and business-critical.
  3. Hide the app behind a modern front end — If the legacy app must stay alive, front it with a reverse proxy or ADC that normalizes paths, rate-limits bursts, and blocks malformed URL patterns. This is the practical containment move when you cannot retire the old stack immediately; for LOW, do it in routine change windows.
  4. Retire IIS 6.0 / Server 2003 — The real control is not 'patching' this CVE but removing the entire unsupported platform. Because the verdict is LOW, this sits in backlog hygiene unless the asset is externally exposed, in which case it should be tied to your broader legacy-host eradication program.
What doesn't work
  • MFA does nothing here because the attack is unauthenticated HTTP traffic.
  • EDR alone will not reliably prevent a URL-triggered web-service slowdown; it may tell you the box is sick after the fact.
  • TLS upgrades are irrelevant; HTTPS protects transport, not path parsing.
  • Generic vulnerability closure based on the Nessus hit alone is the wrong move because this plugin is intentionally broad and requires manual confirmation.
06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host from an elevated cmd.exe session. Example: check_iis6_aspnet_dos.bat; it needs local registry read access and works best on the affected legacy systems themselves. It reports VULNERABLE when it finds IIS 6.0 plus .NET Framework 1.1, PATCHED when the host is not in that affected set, and UNKNOWN if it cannot decide.

noisgate-verify.bat
BATCHREAD-ONLYSAFE
@echo off
setlocal ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION
REM check_iis6_aspnet_dos.bat

REM Detect likely exposure to CVE-2007-2897 / Tenable plugin 64589.

REM Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


set IIS6=0
set DOTNET11=0
set UNKNOWN=0

REM --- Detect IIS major version ---

for /f "tokens=2,*" %%A in ('reg query "HKLM\SOFTWARE\Microsoft\InetStp" /v MajorVersion 2^>nul ^| find /i "MajorVersion"') do (
  set IISMAJOR=%%B
)
if defined IISMAJOR (
  echo !IISMAJOR! | findstr /r /c:"0x6" /c:" 6$" >nul && set IIS6=1
) else (
  for /f "tokens=2,*" %%A in ('reg query "HKLM\SOFTWARE\Microsoft\InetStp" /v VersionString 2^>nul ^| find /i "VersionString"') do (
    set IISVERSTR=%%B
  )
  if defined IISVERSTR (
    echo !IISVERSTR! | find /i "Version 6.0" >nul && set IIS6=1
  ) else (
    REM No IIS registry keys found; assume IIS not installed

    set IIS6=0
  )
)

REM --- Detect .NET Framework 1.1 ---

for %%K in (
  "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v1.1.4322"
  "HKLM\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v1.1.4322"
) do (
  for /f "tokens=2,*" %%A in ('reg query %%~K /v Install 2^>nul ^| find /i "Install"') do (
    set DN11=%%B
    echo !DN11! | findstr /r /c:"0x1" /c:" 1$" >nul && set DOTNET11=1
  )
)

REM --- Sanity check ---

if "%IIS6%"=="0" if "%DOTNET11%"=="0" (
  echo PATCHED
  REM Not in the known affected legacy stack

  exit /b 0
)

if "%IIS6%"=="1" if "%DOTNET11%"=="1" (
  echo VULNERABLE
  REM Host matches IIS 6.0 + .NET 1.1 profile used by this finding

  exit /b 1
)

REM Mixed signals: perhaps IIS 6.0 without ASP.NET 1.1, or detection ambiguity.

REM This script cannot verify ISAPI-filter mitigation automatically.

echo UNKNOWN
exit /b 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: do not mass-escalate plugin 64589 as a medium patch event. First, validate every hit and separate real IIS 6.0 / ASP.NET 1.1 hosts from plugin noise; if a confirmed legacy internet-facing app exists, add URL-blocking or front-end filtering as backlog hygiene and tie the host to your Windows Server 2003 retirement plan. Because this is LOW and not KEV-listed, there is no noisgate mitigation SLA and no noisgate remediation SLA—treat it as backlog hygiene, but do not let genuinely exposed IIS 6.0 systems sit unowned.

Sources

  1. Tenable Nessus Plugin 64589
  2. Full Disclosure original post by kingcope (2007-05-22)
  3. Full Disclosure follow-up by 3APA3A (2007-05-23)
  4. Microsoft Learn: Running ASP.NET 1.1 with IIS 6.0
  5. Microsoft Lifecycle: Windows Server 2003
  6. Bitsight Groma: Microsoft IIS 6.0 Observation Footprint
  7. CISA Known Exploited Vulnerabilities Catalog
  8. Vulnerability-Lookup / CIRCL entry for CVE-2007-2897
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.