CISA added a 2009-era Microsoft DirectX remote code execution flaw in the DirectShow QuickTime Movie Parser Filter to the Known Exploited Vulnerabilities catalog on 2026-05-20, citing confirmed in-the-wild exploitation dating back to May 2009.
What Is It
CVE-2009-1537 is an unspecified vulnerability, tracked publicly as the "DirectX NULL Byte Overwrite Vulnerability", in the QuickTime Movie Parser Filter inside quartz.dll, the DirectShow component of Microsoft DirectX. A remote attacker can trigger arbitrary code execution by getting a victim to open or render a crafted QuickTime media file. NVD assigns a CVSS 3.1 base score of 8.8 (HIGH) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H; the legacy CVSS v2 score is 9.3. User interaction is required, but no privileges or authentication are needed, and successful exploitation fully compromises confidentiality, integrity, and availability.
Why It Matters
CISA's KEV listing confirms active exploitation, and the original NVD description notes the bug was "exploited in the wild in May 2009." Ransomware association is currently listed as Unknown. Despite the CVE's age, KEV inclusion in 2026 signals that vulnerable, unpatched legacy Windows systems are still being targeted; likely embedded, industrial, or otherwise out-of-support endpoints where DirectX 7.0–9.0c remains in place. Federal civilian agencies have a due date of 2026-06-03 to remediate.
What's Vulnerable
Per NVD CPE data, affected combinations include:
- Microsoft DirectX 7.0, 7.0a, 7.1, 8.1, 8.1b, 9.0, 9.0a, 9.0b, 9.0c
- Running on Windows 2000 SP4, Windows XP SP2 / SP3 (incl. Professional x64), or Windows Server 2003 SP2 (incl. x64 and Itanium)
The vulnerable code path is quartz.dll's QuickTime Movie Parser Filter in DirectShow.
Patch Status
Microsoft addressed the issue in security bulletin MS09-028. CISA's required action: "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." For systems beyond support (Windows 2000, XP, Server 2003), discontinuation or isolation is the practical path.