What is CVE-2009-1537?

CVE-2009-1537 is a high-severity vulnerability in Microsoft Directx, classified under CWE-158. CVSS score: 8.8/10. Published 2009-05-29.

How severe is CVE-2009-1537?

High severity. CVSS v3 base score is 8.8 out of 10.

Is CVE-2009-1537 known to be exploited?

Yes. CVE-2009-1537 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2026-05-20), indicating it is being actively exploited.

Vulnerability in Microsoft Directx

CVE-2009-1537

Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 allows remote attackers to execute ar…

EPSS: 0.530 (98.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

Affected products

Microsoft Directx — versions 7.0, 7.0a, 7.1
Microsoft Windows_2000
Microsoft Windows_2003_server
Microsoft Windows_server_2003
Microsoft Windows_xp
N/a — versions n/a

Weakness classification (CWE)

CWE-158

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2026-05-20. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2026-06-03.

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

References

secure@microsoft.com (x_refsource_MS, vendor-advisory, Vendor Advisory)
secure@microsoft.com (x_refsource_CONFIRM, Vendor Advisory)
secure@microsoft.com (Broken Link, x_refsource_OVAL, signature, vdb-entry)
secure@microsoft.com (x_refsource_SECUNIA, Vendor Advisory, third-party-advisory)
secure@microsoft.com (vdb-entry, x_refsource_SECTRACK, Broken Link)
secure@microsoft.com (vdb-entry, x_refsource_VUPEN, Vendor Advisory)
secure@microsoft.com (vdb-entry, x_refsource_VUPEN, Vendor Advisory)
secure@microsoft.com (x_refsource_OSVDB, vdb-entry, Broken Link)
secure@microsoft.com (vdb-entry, Broken Link, x_refsource_BID)
secure@microsoft.com (US Government Resource, x_refsource_CERT, third-party-advisory)

Frequently asked questions

What is CVE-2009-1537?: CVE-2009-1537 is a high-severity vulnerability in Microsoft Directx, classified under CWE-158. CVSS score: 8.8/10. Published 2009-05-29.
How severe is CVE-2009-1537?: High severity. CVSS v3 base score is 8.8 out of 10.
Is CVE-2009-1537 known to be exploited?: Yes. CVE-2009-1537 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2026-05-20), indicating it is being actively exploited.