A router or firewall allows source routed packets from arbitrary hosts.

Perl, sh, csh, or other shell interpreters are installed in the cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands.

An account on a router, firewall, or other network device has a default, null, blank, or missing password.

An account on a router, firewall, or other network device has a guessable password.

A Windows NT domain user or administrator account has a default, null, blank, or missing password.

A Windows NT domain user or administrator account has a guessable password.

A Windows NT local user or administrator account has a default, null, blank, or missing password.

A Windows NT local user or administrator account has a guessable password.

A Unix account has a default, null, blank, or missing password.

A Unix account has a guessable password.

NETBIOS share information may be published through SNMP registry keys in NT.

TFTP is not running in a restricted directory, allowing a remote attacker to access sensitive information such as password files.

Anonymous FTP is enabled.

A Windows NT 4.0 user can gain administrative rights by forcing NtOpenProcessToken to succeed regardless of the user's permissions, aka GetAdmin.

A remote attacker can gain access to a file system using .. (dot dot) when accessing SMB shares.

Denial of service in WinGate proxy through a buffer overflow in POP3.

rpc.statd allows remote attackers to forward RPC calls to the local operating system via the SM_MON and SM_NOTIFY commands, which in turn could be used to remotely exploit other bugs such as in automountd.

The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses.

The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute.

MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to learn information about a local user's files via an IMG SRC tag.