CVE-2009-2514

Microsoft Windows <2000 SP4 XP SP2-SP3 Server 2003 SP2 - RCE

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-2514. PoCs published by H D Moore, including Metasploit module auxiliary/dos/windows/browser/ms09_065_eot_integer.

AI-analyzed exploit summary This exploit targets an integer overflow vulnerability in Microsoft Windows' Embedded OpenType (EOT) font parsing in win32k.sys. It triggers a BSoD by sending a maliciously crafted EOT font file via a web page, exploiting the flaw in the kernel's font parsing logic.

Description

win32k.sys in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 does not correctly parse font code during construction of a directory-entry table, which allows remote attackers to execute arbitrary code via a crafted Embedded OpenType (EOT) font, aka "Win32k EOT Parsing Vulnerability."

Exploits (2)

exploitdb WORKING POC VERIFIED

by H D Moore · rubydoswindows

https://www.exploit-db.com/exploits/10068

View Code ZIP pw:eip

This exploit targets an integer overflow vulnerability in Microsoft Windows' Embedded OpenType (EOT) font parsing in win32k.sys. It triggers a BSoD by sending a maliciously crafted EOT font file via a web page, exploiting the flaw in the kernel's font parsing logic.

Classification

Working Poc 100%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (win32k.sys)

No auth needed

Prerequisites: Victim must visit a malicious web page using Internet Explorer

MITRE ATT&CK

T1499.004 - Application or System Exploitation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/browser/ms09_065_eot_integer.rb

View Code ZIP pw:eip

This Metasploit module exploits an integer overflow in Microsoft Windows' Embedded OpenType (EOT) font parsing in win32k.sys, triggering a BSoD via a crafted web page served to Internet Explorer.

Classification

Working Poc 100%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (win32k.sys) via Internet Explorer

No auth needed

Prerequisites: Target must visit a malicious web page using Internet Explorer

MITRE ATT&CK

T1499.004 - Application or System Exploitation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-065

US Government Resource third-party-advisory x_refsource_cert

http://www.us-cert.gov/cas/techalerts/TA09-314A.html

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6406

Scores

EPSS 0.8021

EPSS Percentile 99.1%

Details

CWE

CWE-94

Status published

Products (5)

microsoft/windows_2000

microsoft/windows_2003_server (3 CPE variants)

microsoft/windows_server_2008 (6 CPE variants)

microsoft/windows_vista (4 CPE variants)

microsoft/windows_xp (3 CPE variants)

Published Nov 11, 2009

Tracked Since Feb 18, 2026