Blocking PROPFIND HTTP method with F5 load balancers

CVE-2017-7269 ( has been published on March 26, 2017 indicating a remote code execution vulnerability in IIS/6.0 in the PROPFIND HTTP method handling code. Exploit code is publically available ( and the vulnerability likely has been exploited in the wild since July/August 2016.

I’ve been working on options to block PROPFIND method on the F5 load balancers as a short term fix, and wanted to share the iRule in case anybody else is looking for a similar solution:

switch [HTTP::method] {
if { !([IP::addr [IP::client_addr] equals]) } {
# deny PROPFIND HTTP/WebDAV method from untrusted networks
HTTP::respond 405 content "Method not allowed"
  • switch [HTTP::method] triggers when PROPFIND method is used for the request.
  • if { ... } block checks whether the client is coming from CIDR block, and sends 405 HTTP error code if not.

Note: blocking PROPFIND breaks WebDAV drive mapping in Windows, and likely other WebDAV clients as well.

Random rumblings about #InfoSec. The opinions expressed here are my own and not necessarily those of my employer.

Love podcasts or audiobooks? Learn on the go with our new app.