CVE-2007-2897

CVE-2007-2897 is a high-severity vulnerability in Microsoft Internet Information Server with a CVSS 2.0 base score of 7.5. Its EPSS exploit-prediction score of 74% places it in the 99th percentile, indicating an elevated likelihood of exploitation.

Key facts

Description

Microsoft Internet Information Services (IIS) 6.0 allows remote attackers to cause a denial of service (server instability or device hang), and possibly obtain sensitive information (device communication traffic); and might allow attackers with physical access to execute arbitrary code after connecting a data stream to a device COM port; via requests for a URI containing a '/' immediately before and after the name of a DOS device, as demonstrated by the /AUX/.aspx URI, which bypasses a blacklist for DOS device requests.

Frequently asked questions

What is CVE-2007-2897?
Microsoft Internet Information Services (IIS) 6.0 allows remote attackers to cause a denial of service (server instability or device hang), and possibly obtain sensitive information (device communication traffic); and might allow attackers with physical access to execute arbitrary code after connecting a data stream to a device COM port; via requests for a URI containing a '/' immediately before and after the name of a DOS device, as demonstrated by the /AUX/.aspx URI, which bypasses a blacklist for DOS device requests.
How severe is CVE-2007-2897?
CVE-2007-2897 has a CVSS 2.0 base score of 7.5, rated high severity.
Is CVE-2007-2897 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 74% (99th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2007-2897?
CVE-2007-2897 affects Microsoft Internet Information Server. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2007-2897?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
When was CVE-2007-2897 published?
CVE-2007-2897 was published on 2007-05-30 and last updated on 2026-06-16.

References

Affected products (1)

More vulnerabilities in Microsoft Internet Information Server

All CVEs affecting Microsoft Internet Information Server →