What Is Microsoft IIS 6.0 WebDAV?
Microsoft Internet Information Services (IIS) 6.0 shipped with Windows Server 2003 and includes a WebDAV extension (httpext.dll) for enabling WebDAV (Web-based Distributed Authoring and Versioning) — an HTTP protocol extension for file management operations. IIS 6.0 and Windows Server 2003 reached end-of-life in July 2015; no security patches have been issued since EOL. Despite EOL status, many organizations continued running Windows Server 2003 for legacy application compatibility, making CVE-2017-7269 a permanent, unpatched vulnerability for any deployment that still runs IIS 6.0 with WebDAV.
Overview
CVE-2017-7269 is a critical buffer overflow in the IIS 6.0 WebDAV extension (httpext.dll) on Windows Server 2003 R2. The ScStoragePathFromUrl function fails to validate the length of the If: header value in a PROPFIND WebDAV request — a specially crafted header beginning with If: <http:// overflows a fixed-size buffer on the heap, enabling arbitrary code execution as the IIS worker process (typically NETWORK SERVICE or higher). Published in March 2017 by Chinese security researchers Zhiniang Peng and Xiaoyong Wu. No official Microsoft patch exists since Windows Server 2003 is EOL. CISA added CVE-2017-7269 to the KEV catalog in November 2021.
Affected Versions
| Version | Status |
|---|---|
| Windows Server 2003 R2 with IIS 6.0 and WebDAV enabled | Vulnerable — no patch available (EOL) |
| IIS 7.0 and later (Windows Server 2008+) | Not affected |
Technical Details
Root Cause: Buffer Overflow in ScStoragePathFromUrl
CVE-2017-7269 is a classic buffer overflow (CWE-120) in IIS 6.0's WebDAV implementation. The ScStoragePathFromUrl function in httpext.dll processes the If: HTTP header in PROPFIND requests. This function copies the URL value from the header into a fixed-size buffer without checking the length, allowing a heap buffer overflow when the value exceeds the buffer capacity.
Exploit mechanics:
PROPFIND / HTTP/1.1
Host: target
Content-Length: 0
If: <http://localhost/aaaaaaaa...AAAA[shellcode/ROP chain]
The overflow corrupts heap metadata and object pointers, redirecting execution to attacker-controlled code. Public proof-of-concept exploits execute as nt authority\network service or higher depending on IIS configuration.
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Network — HTTP PROPFIND to port 80/443 |
| Authentication | None required |
| Impact | Code execution as IIS process (NETWORK SERVICE or SYSTEM) |
| Status | No official patch — Windows Server 2003 is EOL |
Discovery
Discovered by security researchers Zhiniang Peng and Xiaoyong Wu, who published the vulnerability and proof-of-concept in March 2017. Microsoft did not issue a patch because Windows Server 2003 had been end-of-life since July 2015.
Exploitation Context
- No patch ever issued: Because Windows Server 2003 EOL predates the vulnerability's discovery, Microsoft has not and will not issue a security patch; any remaining Windows Server 2003/IIS 6.0 deployment with WebDAV enabled is permanently exploitable
- Legacy IIS targeting: Many organizations continued running Windows Server 2003 for legacy .NET, COM, and classic ASP applications after EOL; these servers are systematically scanned for vulnerabilities including CVE-2017-7269
- Automated mass exploitation: Public PoC tools enable automated mass scanning for IIS/WebDAV responses followed by automated exploitation; any internet-facing IIS 6.0 server is at immediate risk
- CISA KEV (2021): Added November 3, 2021 as part of the initial KEV catalog launch, reflecting ongoing exploitation of legacy Windows Server 2003 deployments
Remediation
-
Migrate off Windows Server 2003 immediately — no patch exists; the only complete remediation is migrating to a supported Windows Server version (2016, 2019, 2022); this is an emergency priority for any internet-accessible IIS 6.0 server.
-
Disable WebDAV immediately — if immediate migration is not possible, disable WebDAV in IIS Manager to eliminate the specific attack vector for CVE-2017-7269; WebDAV is not required for standard web serving.
-
Remove IIS 6.0 from internet exposure — any remaining Windows Server 2003/IIS 6.0 server must be taken offline or placed behind a strict WAF/proxy that blocks WebDAV PROPFIND requests.
-
Audit for compromise — IIS 6.0 servers exposed to the internet should be treated as compromised until proven otherwise; conduct a full incident response investigation before any migration or decommission.
-
Block WebDAV at perimeter — block HTTP PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK methods at the perimeter firewall as a defense-in-depth control for any remaining IIS deployments.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2017-7269 |
| Vendor / Product | Microsoft — Internet Information Services (IIS) |
| NVD Published | 2017-03-27 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-120 — Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2022-05-03 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2017-03-27 | Researchers Zhiniang Peng and Xiaoyong Wu publish CVE-2017-7269; Windows Server 2003 is EOL (no patch available) |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-05-03 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2017-7269 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |