CVE-2009-2521

EXPLOITED RANSOMWARE

Microsoft Internet Information Services 5.0-7.0 - Authenticated Denial of Service via FTP List Command

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2009-2521 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns. EIP tracks 3 public exploits from researchers including kingcope, Myo Soe, Kingcope, Myo Soe, including a Metasploit module auxiliary/dos/windows/ftp/iis_list_exhaustion.

AI-analyzed exploit summary This exploit demonstrates a Denial of Service (DoS) vulnerability in Microsoft IIS FTPD versions 5.0 and 6.0. The vulnerability is triggered by sending a malformed 'ls' command with a recursive globbing pattern, causing a stack overflow and crashing the FTP service.

Description

Stack consumption vulnerability in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 7.0 allows remote authenticated users to cause a denial of service (daemon crash) via a list (ls) -R command containing a wildcard that references a subdirectory, followed by a .. (dot dot), aka "IIS FTP Service DoS Vulnerability."

Exploits (3)

exploitdb WORKING POC VERIFIED
by kingcope · textdoswindows
https://www.exploit-db.com/exploits/9587

This exploit demonstrates a Denial of Service (DoS) vulnerability in Microsoft IIS FTPD versions 5.0 and 6.0. The vulnerability is triggered by sending a malformed 'ls' command with a recursive globbing pattern, causing a stack overflow and crashing the FTP service.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS FTPD 5.0, 6.0
No auth needed
Prerequisites: Anonymous or authenticated user with read access to a directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Myo Soe · rubydoswindows
https://www.exploit-db.com/exploits/17476

This exploit triggers a stack exhaustion denial-of-service (DoS) in Microsoft IIS FTP Server versions 5.0 through 7.0 by sending a crafted LIST command with a wildcard. It requires valid FTP credentials and checks for the presence of a directory, creating one if necessary.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS FTP Server <= 7.0
Auth required
Prerequisites: Valid FTP credentials · FTP Publishing service configured in manual mode · At least one directory under FTP root or write-access to create one
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Kingcope, Myo Soe · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb

This Metasploit module exploits a stack exhaustion vulnerability in Microsoft IIS FTP Server (5.0-7.0) via a crafted LIST command with wildcards, leading to a Denial of Service (DoS). It requires valid FTP credentials and checks for directory existence, creating one if necessary.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS FTP Server 5.0 through 7.0
Auth required
Prerequisites: Valid FTP account (read-only or write-access) · FTP Publishing configured in manual startup mode · At least one directory under FTP root (or write-access to create one)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Vendor Advisory vendor-advisory x_refsource_mskb
http://support.microsoft.com/default.aspx?scid=kb%3B%5BLN%5D%3BQ975191
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-286A.html
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-053
Broken Link mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html

Scores

EPSS 0.6078
EPSS Percentile 98.3%

Details

VulnCheck KEV 2023-02-14
Ransomware Use Confirmed
CWE
CWE-400
Status published
Products (1)
microsoft/internet_information_services 5.0 - 7.0
Published Sep 04, 2009
Tracked Since Feb 18, 2026