FTA: "In order to use this technique, an attacker needs to gain access to the Windows system running the IIS server by some other means. In this particular case, it is unclear how this access was achieved."<p>See also "It rather involved being on the other side of this airtight hatchway" series by Raymond Chen:<p><a href="https://devblogs.microsoft.com/oldnewthing/20181219-00/?p=100515" rel="nofollow">https://devblogs.microsoft.com/oldnewthing/20181219-00/?p=10...</a><p><a href="https://devblogs.microsoft.com/oldnewthing/20211207-00/?p=106004" rel="nofollow">https://devblogs.microsoft.com/oldnewthing/20211207-00/?p=10...</a>
So in other words, this is something that someone has to run on the computer, then it injects itself into IIS. Not a remote vulnerability, just an entry point for monitoring HTTP requests once you have code execution in there.
Nobody sane runs FREB at full prod load on public sites. It's not installed by default. It is highly useful for troubleshooting but not at production traffic. Seems like if you're inside IIS already by some mystic hack you already own the space.