Cyber Resilience

CVE-2009-1537

HighCISA KEVActive ExploitationEUVD ExploitedUpdated

Published: 29 May 2009

Published
29 May 2009
Modified
21 May 2026
KEV Added
20 May 2026
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.5302 98.0th percentile
Risk Priority 69 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2009-1537 is a high-severity Improper Neutralization of Null Byte or NUL Character (CWE-158) vulnerability in Microsoft Directx. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

The vulnerability is an unspecified issue, also known as the DirectX NULL Byte Overwrite Vulnerability, in the QuickTime Movie Parser Filter in quartz.dll within DirectShow as part of Microsoft DirectX 7.0 through 9.0c. Affected platforms include Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2.

Remote attackers can exploit the flaw by supplying a crafted QuickTime media file, which may result in arbitrary code execution. The vulnerability was exploited in the wild in May 2009.

Microsoft Security Advisory 971778 addresses the DirectShow vulnerability, with further technical analysis available from the Microsoft Security Response Center and Security Research and Defense blogs. Additional references from SANS ISC, OSVDB, and Secunia document the issue and its exploitation characteristics.

EU & UK References

Vulnerability details

Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 allows remote attackers to execute arbitrary code via…

more

a crafted QuickTime media file, as exploited in the wild in May 2009, aka "DirectX NULL Byte Overwrite Vulnerability."

CWE(s)
KEV Date Added
20 May 2026

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
directx
7.0, 7.0a, 7.1, 8.1, 8.1b
microsoft
windows 2000
all versions
microsoft
windows 2003 server
all versions
microsoft
windows server 2003
all versions
microsoft
windows xp
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch (Microsoft Security Advisory 971778) that eliminates the NULL-byte overwrite flaw in quartz.dll.

prevent

Enforces disabling or removing the DirectShow/QuickTime parser components when they are not required, eliminating the attack surface for crafted media files.

preventdetect

Deploys malicious-code detection mechanisms that can inspect or sandbox QuickTime media files before the vulnerable parser processes them.

References