Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-1122

CWE-287Improper Authentication4 documents4 sources
Severity
7.5HIGH
EPSS
92.3%
top 0.28%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Microsoft Internet Information Services
Timeline
PublishedJun 10
Latest updateMay 2

Description

The WebDAV extension in Microsoft Internet Information Services (IIS) 5.0 on Windows 2000 SP4 does not properly decode URLs, which allows remote attackers to bypass authentication, and possibly read or create files, via a crafted HTTP request, aka "IIS 5.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1535.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

Patches

Patch: docs.microsoft.comPatch: docs.microsoft.com

🔴Vulnerability Details

2
GHSA
GHSA-c9gf-r7p8-qf28: The WebDAV extension in Microsoft Internet Information Services (IIS) 52022-05-02
CVEList
CVE-2009-1122: The WebDAV extension in Microsoft Internet Information Services (IIS) 52009-06-10

💥Exploits & PoCs

1
Exploit-DB
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2)2009-05-26
CVE-2009-1122 (HIGH CVSS 7.5) | The WebDAV extension in Microsoft I | cvebase.io