CVE-2009-1064

Orbit Downloader <= 2.8.7 - Arbitrary File Write via ActiveX Control Argument Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-1064. PoCs published by waraxe.

AI-analyzed exploit summary This exploit leverages an arbitrary file deletion vulnerability in Orbit Downloader <= 2.8.7 via an ActiveX control. The PoC uses a malicious HTML page to invoke the vulnerable method and delete a specified file on the victim's system.

Description

Argument injection vulnerability in orbitmxt.dll 2.1.0.2 in the Orbit Downloader 2.8.7 and earlier ActiveX control allows remote attackers to overwrite arbitrary files via whitespace and a command-line switch, followed by a full pathname, in the third argument to the download method.

Exploits (1)

exploitdb WORKING POC VERIFIED
by waraxe · textremotewindows
https://www.exploit-db.com/exploits/8257

This exploit leverages an arbitrary file deletion vulnerability in Orbit Downloader <= 2.8.7 via an ActiveX control. The PoC uses a malicious HTML page to invoke the vulnerable method and delete a specified file on the victim's system.

Classification
Working Poc 100%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Orbit Downloader <= 2.8.7
No auth needed
Prerequisites: Victim must visit the malicious webpage using Internet Explorer with default security settings
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit x_refsource_misc
http://www.waraxe.us/advisory-73.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/34200
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/8257
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/49353

Scores

EPSS 0.0372
EPSS Percentile 88.4%

Details

CWE
CWE-94
Status published
Products (19)
orbit_downloader/orbit_downloader 2.6.3
orbit_downloader/orbit_downloader 2.6.4
orbitdownloader/orbit_downloader 2.6.1
orbitdownloader/orbit_downloader 2.6.3
orbitdownloader/orbit_downloader 2.6.4
orbitdownloader/orbit_downloader 2.6.5
orbitdownloader/orbit_downloader 2.7.1
orbitdownloader/orbit_downloader 2.7.3
orbitdownloader/orbit_downloader 2.7.5
orbitdownloader/orbit_downloader 2.7.6
... and 9 more
Published Mar 26, 2009
Tracked Since Feb 18, 2026