CVE-2009-1535
Microsoft Internet Information Services - Authentication Bypass
Title source: ruleDescription
The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122.
Exploits (4)
metasploit
SCANNER
by aushack · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb
metasploit
WORKING POC
by et, aushack · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb
References (11)
Scores
EPSS
0.9183
EPSS Percentile
99.7%
Details
CWE
CWE-287
Status
published
Products (2)
microsoft/internet_information_services
5.1
microsoft/internet_information_services
6.0
Published
Jun 10, 2009
Tracked Since
Feb 18, 2026