CVE-2009-1535

Internet Information Services 5.1 and 6.0 - Authentication Bypass via Unicode %c0%af URI Obfuscation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2009-1535. PoCs published by aushack, et, aushack, including Metasploit module auxiliary/scanner/http/dir_webdav_unicode_bypass.

AI-analyzed exploit summary This Perl script exploits CVE-2009-1535, a WebDAV authentication bypass vulnerability in Microsoft IIS 6.0. It uses a Unicode encoding trick (%c0%af) to bypass authentication and allows file retrieval, directory listing, and file upload via crafted HTTP requests.

Description

The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122.

Exploits (4)

exploitdb WORKING POC
perlremotewindows
https://www.exploit-db.com/exploits/8806

This Perl script exploits CVE-2009-1535, a WebDAV authentication bypass vulnerability in Microsoft IIS 6.0. It uses a Unicode encoding trick (%c0%af) to bypass authentication and allows file retrieval, directory listing, and file upload via crafted HTTP requests.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS 6.0
No auth needed
Prerequisites: Network access to the target IIS server · WebDAV enabled on the target server
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WRITEUP
remotewindows
https://www.exploit-db.com/exploits/8704

This is a detailed technical writeup describing a Unicode-based authentication bypass vulnerability in Microsoft IIS 6.0 WebDAV. The vulnerability allows attackers to bypass password protection by injecting Unicode characters into the URI, enabling unauthorized file access and directory listing.

Classification
Writeup 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS 6.0
No auth needed
Prerequisites: WebDAV enabled on IIS 6.0 · Password-protected directory or file
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit SCANNER
by aushack · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb

This Metasploit module scans for directories on IIS6 servers with WebDAV enabled, attempting to bypass authentication using a Unicode vulnerability (CVE-2009-1122). It sends PROPFIND requests with malformed Unicode paths to detect vulnerable endpoints.

Classification
Scanner 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 6.0 with WebDAV enabled
No auth needed
Prerequisites: WebDAV enabled on IIS6 · Protected directory requiring authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by et, aushack · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb

This Metasploit module exploits a Unicode authentication bypass vulnerability in IIS6 WebDAV (CVE-2009-1535). It sends a crafted PROPFIND request with an overlong Unicode-encoded path to bypass authentication on protected folders.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 6.0 with WebDAV enabled
No auth needed
Prerequisites: WebDAV enabled on IIS6 · Protected folder requiring authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (11)

Core 11
Core References
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-020
Third Party Advisory x_refsource_misc
http://isc.sans.org/diary.html?n&storyid=6397
Broken Link mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0135.html
Broken Link mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0139.html
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-160A.html
Broken Link mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0144.html
Third Party Advisory mailing-list x_refsource_vim
http://www.attrition.org/pipermail/vim/2009-June/002192.html

Scores

EPSS 0.9183
EPSS Percentile 99.7%

Details

CWE
CWE-287
Status published
Products (2)
microsoft/internet_information_services 5.1
microsoft/internet_information_services 6.0
Published Jun 10, 2009
Tracked Since Feb 18, 2026