High

Privilege escalation in Microsoft IIS 5.0 via relative-path system file loading

IdentifiersCVE-2001-0507CWE-426

Microsoft Internet Information Services (IIS) 5.0 uses relative paths when locating certain system files that are executed in-process. This unsafe search-path behavior allows a local attacker to place a Trojan horse file, including a malicious replacement for a DLL expected by IIS, in a location that will be resolved before the legitimate system file. When IIS loads the attacker-controlled file in-process, the malicious code executes in the security context of the IIS service, resulting in privilege elevation. The provided context specifically references abuse through side-loading a malicious httpodbc.dll on older IIS servers.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local user to elevate privileges by causing IIS to load and execute attacker-controlled code in-process. Depending on the IIS service account and host configuration, this can provide administrative or SYSTEM-level execution, enabling full compromise of the server, credential theft, persistence, and further lateral movement.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict local access to the server, especially interactive or file-write access by low-privileged users. Harden filesystem ACLs so unprivileged accounts cannot place files in IIS application, service, or searched directories. Monitor for unexpected DLLs such as httpodbc.dll in IIS-related paths, enable file integrity monitoring on IIS directories, and reduce the IIS service account privileges to limit post-exploitation impact. Migrating workloads off legacy IIS 5.0 systems is strongly recommended.

Remediation

Patch, then assume compromise.

Apply the vendor security update for IIS 5.0 addressing CVE-2001-0507. Ensure IIS and the underlying Windows platform are fully patched and retire unsupported legacy IIS 5.0 deployments where possible. Review application and service configurations to ensure system binaries and DLLs are referenced using secure absolute paths rather than relative paths, and remove write permissions for unprivileged users from directories that may be searched during module loading.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationInternet Information Servicesapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

mitre attackNews

Jan 25, 2026

FIN13, Elephant Beetle, Group G1016 | MITRE ATT&CK®

An old IIS-related vulnerability referenced in the context of DLL side-loading on legacy IIS servers to load a malicious httpodbc.dll.

mitre attack websiteNews

Feb 3, 2026

Hijack Execution Flow: DLL, Sub-technique T1574.001 - Enterprise | MITRE ATT&CK®

A vulnerability affecting older Microsoft IIS servers that can be leveraged via DLL side-loading (IISCrack.dll) to load a malicious httpodbc.dll.

mitre attack websiteNews

Feb 3, 2026

Hijack Execution Flow: DLL, Sub-technique T1574.001 - Enterprise | MITRE ATT&CK®

A legacy Microsoft IIS vulnerability (CVE-2001-0507) referenced as being abused in conjunction with DLL side-loading (IISCrack.dll) to load a malicious httpodbc.dll on older IIS servers.

mitre attack websiteNews

Feb 4, 2026

Hijack Execution Flow: DLL, Sub-technique T1574.001 - Enterprise | MITRE ATT&CK®

A vulnerability in older Microsoft IIS servers (referenced in the context of DLL side-loading) that can be leveraged to load a malicious httpodbc.dll via IISCrack.dll.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2001-0507

NVD

nvd.nist.gov/vuln/detail/CVE-2001-0507

MITRE CWE · CWE-426

cwe.mitre.org

online.securityfocus.com

online.securityfocus.com/archive/1/205069

ciac.org

ciac.org/ciac/bulletins/l-132.shtml

osvdb.org

osvdb.org/5607

docs.microsoft.com

docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-044

exchange.xforce.ibmcloud.com

exchange.xforce.ibmcloud.com/vulnerabilities/6985

oval.cisecurity.org

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A909

oval.cisecurity.org

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A912