CVE-2009-4445

CVE-2009-4445 is a medium-severity vulnerability in Microsoft Internet Information Services with a CVSS 2.0 base score of 6.0. Its EPSS exploit-prediction score of 13% places it in the 96th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-20.

Key facts

Description

Microsoft Internet Information Services (IIS), when used in conjunction with unspecified third-party upload applications, allows remote attackers to create empty files with arbitrary extensions via a filename containing an initial extension followed by a : (colon) and a safe extension, as demonstrated by an upload of a .asp:.jpg file that results in creation of an empty .asp file, related to support for the NTFS Alternate Data Streams (ADS) filename syntax. NOTE: it could be argued that this is a vulnerability in the third-party product, not IIS, because the third-party product should be applying its extension restrictions to the portion of the filename before the colon.

Frequently asked questions

What is CVE-2009-4445?
Microsoft Internet Information Services (IIS), when used in conjunction with unspecified third-party upload applications, allows remote attackers to create empty files with arbitrary extensions via a filename containing an initial extension followed by a : (colon) and a safe extension, as demonstrated by an upload of a .asp:.jpg file that results in creation of an empty .asp file, related to support for the NTFS Alternate Data Streams (ADS) filename syntax. NOTE: it could be argued that this is a vulnerability in the third-party product, not IIS, because the third-party product should be applying its extension restrictions to the portion of the filename before the colon.
How severe is CVE-2009-4445?
CVE-2009-4445 has a CVSS 2.0 base score of 6.0, rated medium severity.
Is CVE-2009-4445 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 13% (96th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2009-4445?
CVE-2009-4445 affects Microsoft Internet Information Services. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2009-4445?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2009-4445 published?
CVE-2009-4445 was published on 2009-12-29 and last updated on 2026-06-16.

References

Affected products (1)

More vulnerabilities in Microsoft Internet Information Services

All CVEs affecting Microsoft Internet Information Services →

Other CWE-20 (Improper Input Validation) vulnerabilities

Browse all CWE-20 (Improper Input Validation) vulnerabilities →

Threat intelligence

Threat-intel indicators referencing this CVE: