Critical severity9.8CISA KEVNVD Advisory· Published Mar 27, 2017· Updated Apr 21, 2026

CVE-2017-7269

Description

Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.

Affected products

Microsoft/Internet Information Services
cpe:2.3:a:microsoft:internet_information_services:6.0:*:*:*:*:*:*:*

Patches

936a024ff14a

https://github.com/rapid7/metasploit-frameworkvia nvd-ref

PR #8162

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/rapid7/metasploit-framework/pull/8162nvdIssue TrackingPatch
support.microsoft.com/en-us/help/3197835/description-of-the-security-update-for-windows-xp-and-windows-servernvdBroken LinkPatchVendor Advisory
0patch.blogspot.com/2017/03/0patching-immortal-cve-2017-7269.htmlnvdExploitThird Party Advisory
medium.com/%40iraklis/number-of-internet-facing-vulnerable-iis-6-0-to-cve-2017-7269-8bd153ef5812nvdExploit
www.exploit-db.com/exploits/41738/nvdExploitThird Party AdvisoryVDB Entry
www.exploit-db.com/exploits/41992/nvdExploitThird Party AdvisoryVDB Entry
www.securityfocus.com/bid/97127nvdBroken LinkThird Party AdvisoryVDB Entry
www.securitytracker.com/id/1038168nvdBroken LinkThird Party AdvisoryVDB Entry
www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government Resource

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.076
exploit	0.030
kev	0.120
patch	-0.070
ransomware	0.000