CVE-2009-0880

IBM Director < 5.20.3 - Remote Code Execution via CIM Server Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2009-0880. PoCs published by Metasploit, Bernhard Mueller, kingcope, including Metasploit module exploits/windows/misc/ibm_director_cim_dllinject.

AI-analyzed exploit summary This Metasploit module exploits a DLL injection vulnerability in IBM System Director Agent 5.20.3 via WebDAV to achieve remote code execution with SYSTEM privileges. It leverages the WebClient service to deliver a malicious DLL payload.

Description

Directory traversal vulnerability in the CIM server in IBM Director before 5.20.3 Service Update 2 on Windows allows remote attackers to load and execute arbitrary local DLL code via a .. (dot dot) in a /CIMListener/ URI in an M-POST request.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/23203

View Code ZIP pw:eip

This Metasploit module exploits a DLL injection vulnerability in IBM System Director Agent 5.20.3 via WebDAV to achieve remote code execution with SYSTEM privileges. It leverages the WebClient service to deliver a malicious DLL payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: IBM System Director Agent 5.20.3

No auth needed

Prerequisites: WebClient service enabled on target · Network access to target

MITRE ATT&CK

T1189 - Drive-by Compromise T1047 - Windows Management Instrumentation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Bernhard Mueller · perllocalwindows

https://www.exploit-db.com/exploits/32845

View Code ZIP pw:eip

This exploit targets a privilege escalation vulnerability in IBM Director's CIM server by sending a malformed XML payload via HTTP to trigger arbitrary code execution with elevated privileges. The PoC constructs a malicious CIM ExportIndication request to exploit the vulnerability.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: IBM Director < 5.20.3 Service Update 2

No auth needed

Prerequisites: Network access to the target's CIM server (port 6988)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by kingcope · textremotewindows

https://www.exploit-db.com/exploits/23074

View Code ZIP pw:eip

This exploit leverages CVE-2009-0880 to force IBM System Director to load a DLL from a remote WebDAV share, achieving remote code execution. The PoC sends a crafted XML payload via HTTP to trigger the vulnerability.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: IBM System Director versions 5.20.3 and before

No auth needed

Prerequisites: Network access to port 6988 · Remote WebDAV share hosting the malicious DLL

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Bernhard Mueller, kingcope, juan vazquez · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/ibm_director_cim_dllinject.rb

View Code ZIP pw:eip

This Metasploit module exploits a DLL injection vulnerability in IBM System Director Agent 5.20.3 by leveraging a WebDAV service to achieve arbitrary code execution with SYSTEM privileges. It handles WebDAV requests (OPTIONS, PROPFIND, GET) to serve a malicious DLL payload to the target.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: IBM System Director Agent 5.20.3

No auth needed

Prerequisites: WebClient service (WebDAV Mini-Redirector) enabled on the target · Network access to the target's CIMListener service (port 6988)

MITRE ATT&CK