CVE-2009-4444

Name: CVE-2009-4444
Creator: NVD / NIST
Published: 2009-12-29T21:00:24.327+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 63.63%

Last modified Jun 16, 2026

CVE-2009-4444 is a vulnerability of currently unknown severity. Microsoft Internet Information Services (IIS) 5.x and 6.x uses only the portion of a filename before a ; (semicolon) character to determine the file extension, which allows remote attackers to bypass intended extension restrictions of third-party upload applications via a filename with a (1) .asp, (2) .cer, or (3) .asa first extension, followed by a semicolon and a safe extension, as demonstrated by the use of asp.dll to handle a .asp;.jpg file.. EPSS estimates a 63.63% chance of exploitation in the next 30 days.

Description

Microsoft Internet Information Services (IIS) 5.x and 6.x uses only the portion of a filename before a ; (semicolon) character to determine the file extension, which allows remote attackers to bypass intended extension restrictions of third-party upload applications via a filename with a (1) .asp, (2) .cer, or (3) .asa first extension, followed by a semicolon and a safe extension, as demonstrated by the use of asp.dll to handle a .asp;.jpg file.

Metrics

EPSS Probability

63.63%

99.1th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions
Microsoft	Internet Information Services	5.0
Microsoft	Internet Information Services	6.0

References

http://blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspxBroken Link
http://secunia.com/advisories/37831Third Party Advisory
http://securitytracker.com/id?1023387Third Party Advisory, VDB Entry
http://soroush.secproject.com/downloadable/iis-semicolon-report.pdfThird Party Advisory
http://www.securityfocus.com/bid/37460Third Party Advisory, VDB Entry
http://www.vupen.com/english/advisories/2009/3634Third Party Advisory
http://blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspxBroken Link
http://secunia.com/advisories/37831Third Party Advisory
http://securitytracker.com/id?1023387Third Party Advisory, VDB Entry
http://soroush.secproject.com/downloadable/iis-semicolon-report.pdfThird Party Advisory
http://www.securityfocus.com/bid/37460Third Party Advisory, VDB Entry
http://www.vupen.com/english/advisories/2009/3634Third Party Advisory

Timeline

Published: Dec 29, 2009
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2009-4444?

How severe is CVE-2009-4444?

Severity scoring for CVE-2009-4444 is pending analysis. The EPSS model estimates a 63.63% probability of exploitation in the next 30 days.

How do I fix CVE-2009-4444?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2009-4444?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST