CVE-1999-0360 is a high-severity vulnerability affecting Microsoft Site Server 2.0 when used in conjunction with Internet Information Services (IIS) 4.0. The vulnerability allows unauthenticated users to upload arbitrary content, including Active Server Pages (ASP), to the target web server. This capability effectively enables remote code execution, as attackers can upload malicious ASP scripts and have them executed by the server. The root cause lies in insufficient validation and access controls on the content upload functionality of Site Server 2.0 integrated with IIS 4.0, allowing attackers to bypass restrictions and place executable code on the server. The CVSS v2 score of 7.2 reflects the high impact on confidentiality, integrity, and availability, with low attack complexity and no authentication required. Although this vulnerability was disclosed in 1999 and no official patch is available, the risk remains for legacy systems still running this outdated software stack. Exploitation could lead to full system compromise, data theft, defacement, or use of the server as a pivot point for further attacks.

For European organizations, the impact of this vulnerability could be significant if legacy systems running Microsoft Site Server 2.0 with IIS 4.0 remain in use, particularly in sectors with less frequent IT modernization such as small to medium enterprises or certain public sector entities. Successful exploitation could result in unauthorized access to sensitive data, disruption of web services, and potential lateral movement within the network. Given the ability to execute arbitrary commands remotely without authentication, attackers could deploy malware, steal confidential information, or disrupt business operations. This could lead to reputational damage, regulatory non-compliance (e.g., GDPR breaches), and financial losses. Although modern environments are unlikely to be affected, any legacy infrastructure still exposed to the internet or accessible internally represents a critical risk.

Since no official patch is available for this vulnerability, organizations should prioritize decommissioning or upgrading legacy systems running Microsoft Site Server 2.0 and IIS 4.0. Immediate mitigation steps include isolating affected servers from external networks and restricting access to trusted administrators only. Implement network segmentation and firewall rules to limit exposure. Employ web application firewalls (WAFs) with custom rules to detect and block unauthorized upload attempts and suspicious ASP script execution. Conduct thorough audits to identify any existing malicious uploads and remove them. Additionally, monitor logs for unusual activity related to file uploads or script execution. For organizations unable to upgrade immediately, consider virtual patching techniques and strict access controls to minimize risk. Finally, ensure comprehensive backups are maintained to enable recovery in case of compromise.