CVE-2009-2503
CVE-2009-2503 is a critical-severity vulnerability in Microsoft Windows 2003 Server with a CVSS 2.0 base score of 9.3. Its EPSS exploit-prediction score of 22% places it in the 97th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-94.
Key facts
- Severity: Critical (CVSS 2.0 base score 9.3)
- EPSS exploit prediction: 22% (97th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-94
- Affected product: Microsoft Windows 2003 Server
- Published:
- Last modified:
Description
GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Windows Server 2003 SP2, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 does not properly allocate an unspecified buffer, which allows remote attackers to execute arbitrary code via a crafted TIFF image file that triggers memory corruption, aka "GDI+ TIFF Memory Corruption Vulnerability."
Frequently asked questions
- What is CVE-2009-2503?
- GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Windows Server 2003 SP2, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 does not properly allocate an unspecified buffer, which allows remote attackers to execute arbitrary code via a crafted TIFF image file that triggers memory corruption, aka "GDI+ TIFF Memory Corruption Vulnerability."
- How severe is CVE-2009-2503?
- CVE-2009-2503 has a CVSS 2.0 base score of 9.3, rated critical severity.
- Is CVE-2009-2503 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 22% (97th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2009-2503?
- CVE-2009-2503 primarily affects Microsoft Windows 2003 Server. In total, 56 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2009-2503?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2009-2503 published?
- CVE-2009-2503 was published on 2009-10-14 and last updated on 2026-06-16.
References
- http://www.us-cert.gov/cas/techalerts/TA09-286A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-062
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6491
Affected products (56)
- cpe:2.3:o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:*:sp2:itanium:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:*:sp2:x64:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:*:*:itanium:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:*:*:x32:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:*:*:x64:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_vista:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_vista:*:*:x64:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_vista:*:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:*:sp2:professional_x64:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:1.1:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:2.0:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:.net_framework:2.0:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:internet_explorer:6:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:report_viewer:2005:sp1:redistributable_package:*:*:*:*:*
- cpe:2.3:a:microsoft:report_viewer:2008:*:redistributable_package:*:*:*:*:*
- cpe:2.3:a:microsoft:report_viewer:2008:sp1:redistributable_package:*:*:*:*:*
- cpe:2.3:a:microsoft:sql_server:2005:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:sql_server:2005:sp2:itanium:*:*:*:*:*
- cpe:2.3:a:microsoft:sql_server:2005:sp2:x64:*:*:*:*:*
- cpe:2.3:a:microsoft:sql_server:2005:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:sql_server:2005:sp3:itanium:*:*:*:*:*
- cpe:2.3:a:microsoft:sql_server:2005:sp3:x64:*:*:*:*:*
- cpe:2.3:a:microsoft:sql_server_reporting_services:2000:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:excel_viewer:2003:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:excel_viewer:2003:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:expression_web:*:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:expression_web:2:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:2003:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:2007:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:2007:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:xp:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office_compatibility_pack:2007:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office_compatibility_pack:2007:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office_excel_viewer:*:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office_groove:2007:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office_groove:2007:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office_powerpoint_viewer:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 2003 Server
- CVE-2011-1868 — Critical (CVSS 10.0): The Distributed File System (DFS) implementation in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not…
- CVE-2011-1268 — Critical (CVSS 10.0): The SMB client in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server…
- CVE-2011-0661 — Critical (CVSS 10.0): The SMB Server service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows…
- CVE-2011-0654 — Critical (CVSS 10.0): Integer underflow in the BowserWriteErrorLogEntry function in the Common Internet File System (CIFS) browser service in…
- CVE-2010-2550 — Critical (CVSS 10.0): The SMB Server in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server…
- CVE-2010-0476 — Critical (CVSS 10.0): The SMB client in Microsoft Windows Server 2003 SP2, Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2…
All CVEs affecting Microsoft Windows 2003 Server →
Other CWE-94 (Code Injection) vulnerabilities
- CVE-2026-57624 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.
- CVE-2026-10134 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read…
- CVE-2026-53576 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter…
- CVE-2026-10561 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined…
- CVE-2026-25470 — Critical (CVSS 10.0): Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin…
- CVE-2026-48836 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.