DirectShow RCE actively exploited (CVE-2009-1537)

Actively exploited in the wild - CVE-2009-1537 is a critical remote code execution vulnerability in Microsoft DirectShow (DirectX 7.0-9.0c) on Windows 2000 SP4, XP SP2/SP3, and Server 2003 SP2 that lets attackers execute arbitrary code by luring users into opening a specially crafted QuickTime file. This bug was weaponized in real-world attacks as early as May 2009 and remains a top-priority patch target due to continued scanning activity.

Overview

CVE-2009-1537, known as the “DirectX NULL Byte Overwrite Vulnerability,” resides in the QuickTime Movie Parser Filter inside quartz.dll, a core component of DirectShow. The flaw occurs when the parser processes a maliciously crafted QuickTime media file. The null byte overwrite corrupts memory in a way that allows an attacker to hijack control flow and execute arbitrary code with the privileges of the logged-on user.

The attack vector is network-based with low complexity. No authentication is required, but user interaction is necessary - the target must open the malicious file (typically delivered via email, a malicious web page, or a drive-by download). The CVSS 9.3 (Critical) rating reflects the complete compromise of confidentiality, integrity, and availability that follows successful exploitation.

Affected Products

• Microsoft DirectX 7.0 through 9.0c
• Windows 2000 Service Pack 4
• Windows XP Service Pack 2 and Service Pack 3
• Windows Server 2003 Service Pack 2

CISA Known Exploited Vulnerabilities (KEV) Status

CISA has confirmed active exploitation of CVE-2009-1537 in the wild. The EPSS model estimates a 68.1% probability of exploitation within the next 30 days, indicating an extremely high and sustained threat level. Organizations must treat this vulnerability as an active attack vector.

Remediation

Microsoft released security update MS09-011 in April 2009 to address this vulnerability. The update is available through Windows Update, Microsoft Update, and the Microsoft Download Center. Apply the update immediately to all affected systems. For systems that cannot be patched immediately:

• Block QuickTime media file types (.mov, .qt) at email and web gateways
• Restrict user permissions to limit the blast radius of code execution
• Disable the QuickTime Movie Parser Filter via the Registry (see Microsoft KB 971778 for details on the killbit for quartz.dll)

Threat Context

This vulnerability was exploited during a wave of targeted attacks in mid-2009, often bundled with other exploits as part of multi-stage watering-hole campaigns. Its continued high EPSS score suggests it remains a component in exploit kits and initial-access broker toolkits, particularly for legacy Windows environments still in use in critical infrastructure.

Security Insight

The longevity of CVE-2009-1537 as an active threat highlights a persistent pattern in targeted operations: attackers will continue to weaponize legacy media-parsing bugs long after vendors ship patches. The assumption that “end-of-life” systems no longer face risk is false - adversaries know that many OT, healthcare, and manufacturing environments still run Windows 2000 or XP on isolated networks and will craft delivery chains (USB drops, phishing with embedded media) to reach them. This underscores the need for asset owners to not merely patch, but to inventory and modernize these long-lived deployments.

Related reading:

• Weekly Threat Roundup: APT28 DNS Hijacking (Apr 6-12
• APT28 Hijacks SOHO Routers - Microsoft 365 Credentials
• Storm-1175 Exploits Zero-Days to Deploy Medusa

Further Reading

• Weekly Threat Roundup: APT28 DNS Hijacking (Apr 6-12
• APT28 Hijacks SOHO Routers - Microsoft 365 Credentials
• Storm-1175 Exploits Zero-Days to Deploy Medusa
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs