CVE-2009-1122

Microsoft Internet Information Services 5.0 - Authentication Bypass via WebDAV URL Decoding

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-1122. PoCs published by ka0x, et, aushack, including Metasploit module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.

AI-analyzed exploit summary This Perl script exploits CVE-2009-1535, a WebDAV authentication bypass vulnerability in Microsoft IIS 6.0, by sending crafted HTTP requests with Unicode-encoded paths to bypass authentication and perform file operations.

Description

The WebDAV extension in Microsoft Internet Information Services (IIS) 5.0 on Windows 2000 SP4 does not properly decode URLs, which allows remote attackers to bypass authentication, and possibly read or create files, via a crafted HTTP request, aka "IIS 5.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1535.

Exploits (2)

exploitdb WORKING POC VERIFIED
by ka0x · perlremotewindows
https://www.exploit-db.com/exploits/8806

This Perl script exploits CVE-2009-1535, a WebDAV authentication bypass vulnerability in Microsoft IIS 6.0, by sending crafted HTTP requests with Unicode-encoded paths to bypass authentication and perform file operations.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS 6.0
No auth needed
Prerequisites: Network access to the target IIS server · WebDAV enabled on the target server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC
by et, aushack · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb

This Metasploit module exploits CVE-2009-1122, an authentication bypass vulnerability in IIS6 WebDAV via Unicode encoding manipulation. It sends a crafted PROPFIND request with overlong UTF-8 encoded characters to bypass authentication on protected folders.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 6.0 with WebDAV enabled
No auth needed
Prerequisites: WebDAV enabled on IIS6 · Protected folder requiring authentication
devstral-2 · analyzed Jun 05, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1022358
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-020
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/35232
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-160A.html
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/1539
Third Party Advisory mailing-list x_refsource_vim
http://www.attrition.org/pipermail/vim/2009-June/002192.html

Scores

EPSS 0.9845
EPSS Percentile 99.9%

Details

CWE
CWE-287
Status published
Products (1)
microsoft/internet_information_services 5.0
Published Jun 10, 2009
Tracked Since Feb 18, 2026