cbcvebase.
CVE-2009-2261
published 2009-06-30

CVE-2009-2261: PeaZIP 2.6.1, 2.5.1, and earlier on Windows allows user-assisted remote attackers to execute arbitrary commands via a .zip archive with a .txt file whose name…

PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
41.42%
98.5th percentile
PeaZIP 2.6.1, 2.5.1, and earlier on Windows allows user-assisted remote attackers to execute arbitrary commands via a .zip archive with a .txt file whose name contains | (pipe) characters and a command.

Affected

25 ranges
VendorProductVersion rangeFixed in
giorgio_tanipeazip<= 2.5.1
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip
giorgio_tanipeazip

Detection & IOCsextracted from sources · hover to see the quote

filename9sg.zip
filename../../../../../../../" README.TXT " <0xde-padded> | <cmd> | .txt
command| <cmd> |
  • Detect ZIP archives containing filenames with pipe characters (|) adjacent to a .txt extension — the canonical injection pattern for this CVE.
  • The malicious filename inside the ZIP is crafted as: README.TXT followed by space-padding (up to 255 bytes total) then "|<cmd>|.txt" — inspect ZIP central-directory filename fields for this pattern.
  • The exploit pads the filename with 0xDE (222) minus the command length worth of 0x20 (space) bytes to reach the 255-character filename limit — look for ZIP entries with filenames containing long runs of spaces followed by pipe characters.
  • The Metasploit module targets PeaZip versions prior to 2.6.2; flag PeaZip process invocations on Windows where the command line contains pipe-delimited tokens originating from a filename string.
  • ·Exploitation requires user interaction: the victim must open the ZIP in PeaZip AND double-click the specially named file inside it.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.