Skip to main content

CVE-2009-2521

5.0
CVSS v2.0 Base Score
60.77%
MEDIUM RiskEPSS (98th percentile)
CWE-400

Stack consumption vulnerability in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 7.0 allows remote authenticated users to cause a denial of service (daemon crash) via a list (ls) -R command containing a wildcard that references a subdirectory, followed by a .. (dot dot), aka "IIS FTP Service DoS Vulnerability."

Published: 9/4/2009
Modified: 4/23/2026
Back to CVE Lookup

Vulnerability Summary

CVSS v2 Score

5

AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Score (Exploitation Probability)

60.77%MEDIUM Exploitation Risk
98th percentile

This vulnerability has a 60.77% probability of being exploited in the next 30 days, ranking higher than 98% of all scored CVEs.

CWE Classification

CWE-400

Related Vulnerabilities

Same Weakness Type(CWE-400)

CVE-2026-45498MEDIUM 4

Microsoft Defender Denial of Service Vulnerability

5/20/2026
CVE-2025-68272HIGH 7.5

Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service (DoS) vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (`/signalk/v1/access/requests`). This causes a "JavaScript heap out of memory" error due to unbounded in-memory storage of request objects. Version 2.19.0 fixes the issue.

1/1/2026
CVE-2025-13836HIGH 7.5

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

12/1/2025
CVE-2024-8892MEDIUM 5.3

Vulnerability in CIRCUTOR TCP2RS+ firmware version 1.3b, which could allow an attacker to modify any configuration value, even if the device has the user/password authentication option enabled, without authentication by sending packets through the UDP protocol and port 2000, deconfiguring the device and thus disabling its use. This equipment is at the end of its useful life cycle.

9/18/2024
CVE-2024-6036CRITICAL 9.1

A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240410 allows any user to restart the server at will by sending a specific request to the `/queue/join?` endpoint with `"fn_index":66`. This unrestricted server restart capability can severely disrupt service availability, cause data loss or corruption, and potentially compromise system integrity.

7/10/2024

Learn More

CVSS Calculator

Calculate and understand CVSS scores

Understanding CVSS Scoring

Learn how severity scores are calculated and what they mean

CVE Prioritization Guide

Best practices for deciding which vulnerabilities to address first

What is a CVE?

Essential guide to Common Vulnerabilities and Exposures