In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system.

NFS allows users to use a "cd .." command to access other directories besides the exported file system.

NFS cache poisoning.

A race condition in the Solaris ps command allows an attacker to overwrite critical files.

In older versions of Sendmail, an attacker could use a pipe character to execute root commands.

The "established" keyword in some Cisco IOS software allowed an attacker to bypass filtering.

In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering.

Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections.

Attackers can crash a Cisco IOS router or device, provided they can get to an interactive prompt (such as a login). This applies to some IOS 9.x, 10.x, and 11.x releases.

Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known.

Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service.

wu-ftpd FTP daemon allows any user and password combination.

The ghostscript command with the -dSAFER option allows remote attackers to execute commands.

IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL.

Windows 95/NT out of band (OOB) data denial of service through NETBIOS port, aka WinNuke.

The DG/UX finger daemon allows remote command execution through shell metacharacters.

The SATAN session key may be disclosed if the user points the web browser to other sites, possibly allowing root access.

The Perl fingerd program allows arbitrary command execution from remote users.

The wrap CGI program in IRIX allows remote attackers to view arbitrary directory listings via a .. (dot dot) attack.

The handler CGI program in IRIX allows arbitrary command execution.