cbcvebase.
CVE-2012-10062
published 2025-08-30

CVE-2012-10062: A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute…

PriorityP266high8.7CVSS 4.0
AVNACLATNPRLUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.21%
64.6th percentile
A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. The WebDAV service, accessible via /webdav/, accepts HTTP PUT requests using default credentials. This permits attackers to upload a malicious PHP payload and trigger its execution via a subsequent GET request, resulting in remote code execution on the server.

Affected

1 ranges
VendorProductVersion rangeFixed in
apache_friendsxampp<= 1.7.3

Detection & IOCsextracted from sources · hover to see the quote

url/webdav/
  • Detect HTTP PUT requests to /webdav/ paths, especially those uploading PHP files, as this is the primary attack vector for CVE-2012-10062.
  • Monitor for a GET request to /webdav/ following a PUT request to the same path, which indicates the attacker is triggering execution of an uploaded PHP payload.
  • Alert on use of default XAMPP WebDAV credentials in HTTP Basic Authentication headers combined with PUT requests, as exploitation relies on default credentials.
  • Detect Metasploit exploit module activity for both multi/http/webdav_upload_php (cross-platform) and windows/http/xampp_webdav_upload_php targeting XAMPP WebDAV endpoints.
  • ·The vulnerability is specific to XAMPP version 1.7.3's DEFAULT WebDAV configuration. Installations with changed credentials or disabled WebDAV are not affected.
  • ·Exploitation requires both WebDAV and PHP execution to be enabled on the same endpoint; the Metasploit module targets this combined condition.
  • ·The updated Metasploit module (multi/http/webdav_upload_php) now includes Linux support and a check() method, broadening the scope beyond Windows-only XAMPP targets.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.