This could be related to a Microsoft .Net bug when using ASP.NET wildcard application mapping that's used in EPiServer CMS 5.

You can get more information on http://support.microsoft.com/kb/911300 where you can also contact Microsoft for a hotfix.
It's also included in the latest security update for the .NET Framework 2.0: http://support.microsoft.com/kb/928365/en-us