CVE-2017-7269

CRITICAL KEV NUCLEI

Internet Information Services 6.0 - Remote Code Execution via WebDAV PROPFIND Request

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2017-7269 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 28 public exploits from researchers including Metasploit, Zhiniang Peng & Chen Wu, zcgonvh, including a Metasploit module exploits/windows/iis/iis_webdav_scstoragepathfromurl. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a buffer overflow in the ScStoragePathFromUrl function in IIS 6.0 WebDAV service via a crafted PROPFIND request with a long 'If' header. It achieves remote code execution by leveraging a brute-force approach to determine the correct path length for the overflow.

Description

Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.

Exploits (28)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/41992

This Metasploit module exploits a buffer overflow in the ScStoragePathFromUrl function in IIS 6.0 WebDAV service via a crafted PROPFIND request with a long 'If' header. It achieves remote code execution by leveraging a brute-force approach to determine the correct path length for the overflow.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 6.0 on Windows Server 2003 R2
No auth needed
Prerequisites: Target must be running IIS 6.0 with WebDAV enabled · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Zhiniang Peng & Chen Wu · pythonremotewindows
https://www.exploit-db.com/exploits/41738

This exploit targets a buffer overflow vulnerability in the ScStoragePathFromUrl function in IIS 6.0 on Windows Server 2003 R2. It crafts a malicious PROPFIND request with an overly long header to trigger the overflow and execute arbitrary code via a ROP chain and shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Information Services (IIS) 6.0 on Windows Server 2003 R2
No auth needed
Prerequisites: Network access to the target IIS server · IIS 6.0 running on Windows Server 2003 R2
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 135 stars
by zcgonvh · remote
https://github.com/zcgonvh/cve-2017-7269

This is a Metasploit module for CVE-2017-7269, a buffer overflow in Microsoft IIS 6.0 WebDAV service. It includes fixes for physical path length and host binding issues, enabling reliable exploitation for remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 6.0 on Windows Server 2003 R2
No auth needed
Prerequisites: Target running IIS 6.0 with WebDAV enabled · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB 92 stars
by g0rx · remote
https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269

The repository contains only a README.md file with minimal information about CVE-2017-7269, an IIS 6.0 exploit, but no actual exploit code or technical details.

Classification
Stub 10%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Microsoft IIS 6.0
No auth needed
Prerequisites: none provided
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 89 stars
by lcatro · remote
https://github.com/lcatro/CVE-2017-7269-Echo-PoC

This PoC exploits CVE-2017-7269, a buffer overflow vulnerability in Microsoft IIS 6.0, to achieve remote code execution. It sends a maliciously crafted PROPFIND request with embedded shellcode to trigger the vulnerability and verify successful exploitation via a response check.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 6.0
No auth needed
Prerequisites: Network access to the target IIS server · IIS 6.0 running on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 88 stars
by zcgonvh · remote
https://github.com/zcgonvh/cve-2017-7269-tool

This is a functional exploit for CVE-2017-7269, targeting a buffer overflow in Microsoft IIS WebDAV's ScStoragePathFromUrl function. It supports payload delivery via webshell upload or shellcode execution, with options for testing and process termination.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 6.0 (WebDAV)
No auth needed
Prerequisites: Network access to vulnerable IIS server · WebDAV enabled on target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 22 stars
by eliuha · remote
https://github.com/eliuha/webdav_exploit

This is a Python-based exploit for CVE-2017-7269, targeting Microsoft IIS 6.0 via a buffer overflow in the WebDAV service. The exploit sends a maliciously crafted PROPFIND request with shellcode to achieve remote code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 6.0
No auth needed
Prerequisites: Target must be running Microsoft IIS 6.0 with WebDAV enabled · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 11 stars
by Al1ex · remote
https://github.com/Al1ex/CVE-2017-7269

This is a Metasploit module for CVE-2017-7269, a buffer overflow in IIS 6.0's WebDAV service. It exploits a vulnerability in the ScStoragePathFromUrl function via a malformed PROPFIND request with a long header starting with 'If: <http://'.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 6.0 on Windows Server 2003 R2 with WebDAV enabled
No auth needed
Prerequisites: Target must have IIS 6.0 with WebDAV enabled · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by h3x0v3rl0rd · poc
https://github.com/h3x0v3rl0rd/CVE-2017-7269

This is a working exploit for CVE-2017-7269, a buffer overflow vulnerability in Microsoft IIS 6.0. The exploit sends a malicious PROPFIND request to trigger the vulnerability and execute a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 6.0
No auth needed
Prerequisites: Target must be running Microsoft IIS 6.0 · WebDAV must be enabled on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by slimpagey · remote
https://github.com/slimpagey/IIS_6.0_WebDAV_Ruby

This is a Ruby exploit for CVE-2017-7269, targeting a buffer overflow in IIS 6.0 WebDAV via the ScStoragePathFromUrl function. It includes multiple payloads for RCE, such as launching calc.exe, BSOD, message box, command execution, and adding a local admin account.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 6.0
No auth needed
Prerequisites: Target must be running IIS 6.0 with WebDAV enabled · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by geniuszly · remote
https://github.com/geniuszly/CVE-2017-7269

This is a Python-based exploit for CVE-2017-7269, targeting a buffer overflow vulnerability in Microsoft IIS WebDAV. It generates a reverse shell shellcode and sends it to the target to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 6.0 (WebDAV)
No auth needed
Prerequisites: Target IP and port · Attacker-controlled reverse shell IP and port
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 2 stars
by BasyacatX · pythonpoc
https://github.com/BasyacatX/CVE-2024-32002-PoC_Chinese/tree/main/CVE-2017-7269_PoC.py

This is a functional exploit for CVE-2017-7269, a buffer overflow in the ScStoragePathFromUrl function in IIS 6.0 on Windows Server 2003 R2. The PoC sends a crafted PROPFIND request with a long header to trigger remote code execution, launching calc.exe via a ROP chain.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Information Services (IIS) 6.0 on Windows Server 2003 R2
No auth needed
Prerequisites: Network access to the target IIS server · IIS 6.0 with WebDAV enabled
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 1 stars
by nika0x38 · remote
https://github.com/nika0x38/CVE-2017-7269

This is a Rust implementation of a PoC for CVE-2017-7269, a stack-based buffer overflow in IIS 6.0 WebDAV. It exploits the vulnerability via a crafted PROPFIND request with an overly long If: header to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Information Services (IIS) 6.0
No auth needed
Prerequisites: Target running IIS 6.0 with WebDAV enabled · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 1 stars
by Cappricio-Securities · poc
https://github.com/Cappricio-Securities/CVE-2017-7269

This repository contains a Python-based scanner for detecting CVE-2017-7269, a buffer overflow vulnerability in Microsoft IIS 6.0. The tool checks for vulnerable endpoints via HTTP OPTIONS requests and supports Telegram notifications for detected vulnerabilities.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS 6.0
No auth needed
Prerequisites: Network access to the target IIS server · Python 3 environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 1 stars
by vaishakhcv · perlpoc
https://github.com/vaishakhcv/CVE-exploits/tree/master/CVE-2017-7269

This repository contains a functional Perl exploit for CVE-2017-7269, a buffer overflow vulnerability in the ScStoragePathFromUrl function in IIS 6.0 WebDAV service. The exploit sends a crafted PROPFIND request with a long 'If' header to trigger remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 6.0 on Windows Server 2003 R2
No auth needed
Prerequisites: Target running IIS 6.0 with WebDAV enabled · Network access to the target server
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 1 stars
by caicai1355 · remote
https://github.com/caicai1355/CVE-2017-7269-exploit

This exploit targets CVE-2017-7269, a buffer overflow vulnerability in Microsoft IIS 6.0. It crafts a malicious PROPFIND request with a shellcode payload to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 6.0
No auth needed
Prerequisites: Network access to the target IIS server · IIS 6.0 with WebDAV enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
gitlab WORKING POC
by yashfren · poc
https://gitlab.com/yashfren/iis6-exploit-2017-CVE-2017-7269

This repository contains a functional exploit for CVE-2017-7269, a buffer overflow vulnerability in Microsoft IIS 6.0. The exploit sends a crafted PROPFIND request with shellcode to achieve remote code execution, specifically a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 6.0
No auth needed
Prerequisites: Target running Microsoft IIS 6.0 · Network access to the target
devstral-2 · analyzed Jun 08, 2026 Full analysis →
nomisec WORKING POC
by Killian0713 · poc
https://github.com/Killian0713/Assignement_3-CVE-2017-7269

This repository contains a proof-of-concept exploit for CVE-2017-7269, a buffer overflow vulnerability in Microsoft Windows Server 2003 R2's WebDAV service. The exploit targets the ScStoragePathFromUrl function via a maliciously crafted PROPFIND request with a long header.

Classification
Working Poc 80%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Server 2003 R2 with IIS 6.0 and WebDAV enabled
No auth needed
Prerequisites: Windows Server 2003 R2 with IIS 6.0 and WebDAV enabled · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by VanishedPeople · remote
https://github.com/VanishedPeople/CVE-2017-7269

This is a Python exploit for CVE-2017-7269, a buffer overflow vulnerability in the ScStoragePathFromUrl function in IIS 6.0 on Windows Server 2003 R2. It sends a malicious HTTP request to trigger the overflow and execute shellcode for a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Information Services (IIS) 6.0 on Windows Server 2003 R2
No auth needed
Prerequisites: Target must be running IIS 6.0 on Windows Server 2003 R2 · WebDAV service must be enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by winterwolf32 · perlpoc
https://github.com/winterwolf32/CVE_Exploits-/tree/master/CVE-2017-7269

This repository contains a functional Perl exploit for CVE-2017-7269, a buffer overflow vulnerability in the ScStoragePathFromUrl function in IIS 6.0 WebDAV service. The exploit sends a crafted PROPFIND request with a long 'If' header to trigger remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 6.0 on Windows Server 2003 R2
No auth needed
Prerequisites: Target running IIS 6.0 with WebDAV enabled · Network access to the target server
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WRITEUP
by homjxi0e · poc
https://github.com/homjxi0e/cve-2017-7269

The repository contains a README describing CVE-2017-7269, a buffer overflow vulnerability in IIS 6.0 on Windows Server 2003 R2. The vulnerability allows remote code execution via a malformed PROPFIND request with a long 'If: <http://' header.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Information Services (IIS) 6.0 on Windows Server 2003 R2
No auth needed
Prerequisites: Network access to vulnerable IIS 6.0 server · Ability to send crafted HTTP PROPFIND requests
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by ThanHuuTuan · remote
https://github.com/ThanHuuTuan/CVE-2017-7269

This is a scanner for CVE-2017-7269, a buffer overflow vulnerability in Microsoft IIS 6.0. It checks for the presence of the vulnerability by sending PROPFIND requests and analyzing the response status code (207 indicates vulnerability).

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS 6.0
No auth needed
Prerequisites: Network access to the target server · Port 80 or 443 open on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC MANUAL
by Zhiniang Peng, Chen Wu, Dominic Chell <[email protected]>, firefart, zcgonvh <[email protected]>, Rich Whitcroft, Lincoln · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/iis/iis_webdav_scstoragepathfromurl.rb

This Metasploit module exploits a buffer overflow in the ScStoragePathFromUrl function in IIS 6.0 WebDAV service via a malformed PROPFIND request with a long 'If' header. It includes a ROP chain to bypass DEP and achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft IIS 6.0 on Windows Server 2003 R2 SP2
No auth needed
Prerequisites: WebDAV enabled on target IIS server · Network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
patchapalooza WORKING POC
by liuziyann · poc
https://gitee.com/liuziyann/CVE-2017-7269

This repository contains a functional Metasploit module for CVE-2017-7269, a buffer overflow vulnerability in the ScStoragePathFromUrl function in IIS 6.0 WebDAV service. The exploit sends a crafted PROPFIND request with a long header to trigger arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 6.0 on Windows Server 2003 R2 with WebDAV enabled
No auth needed
Prerequisites: IIS 6.0 with WebDAV enabled · Network access to the target server
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by n3rdh4x0r · remote
https://github.com/n3rdh4x0r/CVE-2017-7269

This repository contains a functional exploit for CVE-2017-7269, a buffer overflow vulnerability in Microsoft IIS 6.0. The exploit includes shellcode to establish a reverse shell connection to an attacker-controlled system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 6.0
No auth needed
Prerequisites: Target system running Microsoft IIS 6.0 · Network connectivity to the target · Attacker-controlled system to receive the reverse shell
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by kiang70 · poc
https://gitee.com/kiang70/CVE-2017-7269-Echo-PoC

This repository contains a functional exploit for CVE-2017-7269, a buffer overflow vulnerability in Microsoft IIS 6.0. The PoC sends a crafted PROPFIND request with a malicious If header containing shellcode to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft IIS 6.0
No auth needed
Prerequisites: Network access to vulnerable IIS server · IIS 6.0 with WebDAV enabled
devstral-2 · analyzed Feb 23, 2026 Full analysis →

Nuclei Templates (1)

Windows Server 2003 & IIS 6.0 - Remote Code Execution
CRITICALby thomas_from_offensity,geeknik
Shodan: cpe:"cpe:2.3:a:microsoft:internet_information_server"

References (11)

Core 11
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41992/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/97127
Issue Tracking, Patch x_refsource_misc
https://github.com/rapid7/metasploit-framework/pull/8162
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038168
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41738/
Exploit, Third Party Advisory x_refsource_misc
https://0patch.blogspot.com/2017/03/0patching-immortal-cve-2017-7269.html
Broken Link, Third Party Advisory x_refsource_misc
https://github.com/edwardz246003/IIS_exploit

Scores

CVSS v3 9.8
EPSS 0.9441
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2017-03-27
InTheWild.io 2019-07-03
ENISA EUVD EUVD-2017-16299
CWE
CWE-120
Status published
Products (1)
microsoft/internet_information_services 6.0
Published Mar 27, 2017
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026