Linux ftpwatch program allows local users to gain root privileges.

The Expression Evaluator sample application in ColdFusion allows remote attackers to read or delete files on the server via exprcalc.cfm, which does not restrict access to the server properly.

A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso.

A service or application has a backdoor password that was placed there by the developer.

In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe).

The ExAir sample site in IIS 4 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to the (1) advsearch.asp, (2) query.asp, or (3) search.asp scripts.

Patrol management software allows a remote attacker to conduct a replay attack to steal the administrator password.

The byte code verifier component of the Java Virtual Machine (JVM) allows remote execution through malicious web pages.

Buffer overflow in procmail before version 3.12 allows remote or local attackers to execute commands via expansions in the procmailrc configuration file.

MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain privileges through SAM.

XFree86 xfs command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.

The Lotus Notes 4.5 client may send a copy of encrypted mail in the clear across the network if the user does not set the "Encrypt Saved Mail" preference.

OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.

Eudora 4.1 allows remote attackers to perform a denial of service by sending attachments with long file names.

During a reboot after an installation of Linux Slackware 3.6, a remote attacker can obtain root access by logging in to the root account without a password.

umapfs allows local users to gain root privileges by changing their uid through a malicious mount_umap program.

The HTTP server in Cisco 7xx series routers 3.2 through 4.2 is enabled by default, which allows remote attackers to change the router's configuration.

A buffer overflow in the SGI X server allows local users to gain root access through the X server font path.

In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension.

Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a symlink attack, allowing a local user to gain root access.

The cancel command in Solaris 2.6 (i386) has a buffer overflow that allows local users to obtain root access.

Files created from interactive shell sessions in Cobalt RaQ microservers (e.g. .bash_history) are world readable, and thus are accessible from the web server.

By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system.

Digital Unix Networker program nsralist has a buffer overflow which allows local users to obtain root privilege.