CVE-2009-1536

EXPLOITED

Microsoft .NET Framework 2.0 SP1/SP2 and 3.5 Gold/SP1 - Unauthenticated Denial of Service via Crafted HTTP Requests

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2009-1536 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

ASP.NET in Microsoft .NET Framework 2.0 SP1 and SP2 and 3.5 Gold and SP1, when ASP 2.0 is used in integrated mode on IIS 7.0, does not properly manage request scheduling, which allows remote attackers to cause a denial of service (daemon outage) via a series of crafted HTTP requests, aka "Remote Unauthenticated Denial of Service in ASP.NET Vulnerability."

References (9)

Core 9
Core References
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-223A.html
Permissions Required, Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/2231
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36127
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1022715
Broken Link vdb-entry x_refsource_osvdb
http://osvdb.org/56905
Patch, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/35985

Scores

EPSS 0.5132
EPSS Percentile 98.8%

Details

VulnCheck KEV 2009-08-13
CWE
CWE-20
Status published
Products (4)
microsoft/.net_framework 2.0 sp1 (2 CPE variants)
microsoft/.net_framework 3.5 (2 CPE variants)
microsoft/windows_server_2008
microsoft/windows_vista (2 CPE variants)
Published Aug 12, 2009
Tracked Since Feb 18, 2026