Security readout for executives and security teams
Plain-English summary
This is an old Microsoft web server sample-file issue. If the sample page is still present on an exposed IIS/Site Server host, an outsider may read files they should not access. Risk depends on whether legacy systems still expose viewcode.asp.
Executive priority
Prioritize legacy internet-facing Microsoft web servers. This is not enough evidence for emergency action by itself, but exposed sample files that allow file disclosure should be removed quickly.
Technical view
CVE-1999-0737 concerns the viewcode.asp sample script in IIS and Site Server. When reachable remotely, the script can allow arbitrary file reads from the server. The bundle provides no CVSS, CWE, affected version range, or detailed patch text; Microsoft MS99-013 is cited as the vendor advisory.
Likely exposure
Exposure is most likely on legacy IIS or Site Server deployments that still have the viewcode.asp sample file installed and reachable over HTTP. The source bundle does not identify specific versions or configurations.
Exploitation context
The CVE states remote attackers can read arbitrary files through viewcode.asp. The bundle does not show CISA KEV listing or other evidence of active exploitation, so active exploitation should not be assumed.
Researcher notes
Key gaps are affected versions, CVSS, CWE mapping, and exact Microsoft remediation details. Treat the vulnerability as a remotely reachable arbitrary file read tied specifically to the sample file named in the CVE.
Mitigation direction
- Check Microsoft MS99-013 and apply vendor guidance for affected systems.
- Remove or disable public access to viewcode.asp where found.
- Restrict legacy IIS and Site Server hosts from internet exposure.
- Review server file permissions for sensitive local files.
Validation and detection
- Inventory IIS and Site Server assets, especially legacy hosts.
- Search web roots for viewcode.asp sample files.
- Confirm whether viewcode.asp is reachable from untrusted networks.
- Review logs for requests to viewcode.asp.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CVE-1999-0737 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
- CVE List V5 sourceCVE List V5
- MS99-013CVE reference · vendor-advisory, x_refsource_MS
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
