CVE-1999-0372 is a vulnerability identified in Microsoft BackOffice Server 4.0, specifically related to its installer process. During installation, the setup creates a file named reboot.ini that contains account names and passwords in plaintext. Critically, this file is not deleted after installation completes, leaving sensitive credential information exposed on the system. This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The exposure of account credentials in an accessible file can allow local users or attackers with access to the file system to obtain these credentials without needing authentication or elevated privileges. Given the nature of the vulnerability, it primarily affects confidentiality, as the passwords and account names can be read by unauthorized parties. The CVSS score is low (2.1), reflecting that exploitation requires local access (Attack Vector: Local), low attack complexity, and no authentication, but the impact is limited to partial confidentiality loss without affecting integrity or availability. Microsoft has released patches addressing this issue, as documented in security bulletin MS99-005. The vulnerability dates back to 1999 and affects legacy Windows 2000 BackOffice Server installations, which are largely obsolete today but may still exist in legacy environments.

For European organizations, the impact of this vulnerability is primarily related to the potential exposure of administrative or service account credentials on legacy Windows 2000 BackOffice Server systems. While modern systems are not affected, some organizations in sectors with long technology lifecycles (e.g., manufacturing, utilities, or government) might still operate legacy infrastructure. If an attacker gains local access to such a system, they could retrieve sensitive credentials, potentially enabling lateral movement or privilege escalation within the network. However, the vulnerability does not allow remote exploitation and does not directly compromise system integrity or availability. The risk is therefore limited but should not be ignored in environments where legacy systems remain in use, especially if those systems hold sensitive data or provide critical services.

Organizations should verify whether any legacy Windows 2000 BackOffice Server 4.0 systems are still in operation. If so, immediate steps include applying the official Microsoft patch from MS99-005 to remove the vulnerability. If patching is not feasible due to system constraints, organizations should ensure that the reboot.ini file is securely deleted post-installation and that access controls restrict file system access to trusted administrators only. Additionally, auditing and monitoring for unauthorized access to legacy systems should be enhanced. Where possible, organizations should plan to decommission or upgrade legacy BackOffice Server installations to supported platforms to eliminate exposure to this and other legacy vulnerabilities. Network segmentation and strict access controls can further reduce the risk of local exploitation.