CVE-2012-0297

EXPLOITED

Symantec Web Gateway < 5.0.3 - Remote Code Execution via Management GUI Script Access

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2012-0297 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including Metasploit, muts, Unknown, juan vazquez, including a Metasploit module exploits/linux/http/symantec_web_gateway_exec.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in Symantec Web Gateway 5.0.2.8 via the `ipchange.php` file, allowing unauthenticated remote command execution.

Description

The management GUI in Symantec Web Gateway 5.0.x before 5.0.3 does not properly restrict access to application scripts, which allows remote attackers to execute arbitrary code by (1) injecting crafted data or (2) including crafted data.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubywebappsphp
https://www.exploit-db.com/exploits/19065

This Metasploit module exploits a command injection vulnerability in Symantec Web Gateway 5.0.2.8 via the `ipchange.php` file, allowing unauthenticated remote command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Symantec Web Gateway 5.0.2.8
No auth needed
Prerequisites: Network access to the target · Target running Symantec Web Gateway 5.0.2.8
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/18942

This Metasploit module exploits a vulnerability in Symantec Web Gateway by injecting PHP code into the access log and then loading it via a directory traversal flaw to achieve remote code execution under the context of 'apache'.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Symantec Web Gateway 5.0.2.8
No auth needed
Prerequisites: Network access to the target · Target must be running Symantec Web Gateway 5.0.2.8
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by muts · pythonwebappslinux
https://www.exploit-db.com/exploits/18932

This exploit leverages a Local File Inclusion (LFI) vulnerability in Symantec Web Gateway 5.0.2 to write a malicious script to /tmp/networkScript, which is then executed with sudo privileges via log poisoning. The payload establishes a reverse shell to a specified IP and port.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Symantec Web Gateway 5.0.2
No auth needed
Prerequisites: Network access to the target · Target must have /tmp/networkScript writable by Apache and sudoable
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
webappslinux
https://www.exploit-db.com/exploits/19406

The exploit demonstrates multiple vulnerabilities in Symantec Web Gateway 5.0.2.8, including local file inclusion (LFI), arbitrary file download/delete, and remote command execution (RCE) via file upload and deprecated admin config manipulation. It provides clear examples of malicious HTTP requests and PHP code to achieve RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Symantec Web Gateway 5.0.2.8
No auth needed
Prerequisites: Network access to the target · Web server running Symantec Web Gateway 5.0.2.8
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Unknown, juan vazquez · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/symantec_web_gateway_exec.rb

This Metasploit module exploits a command injection vulnerability in Symantec Web Gateway 5.0.2.8 via the `spywall/ipchange.php` endpoint, allowing unauthenticated remote code execution by injecting commands into the `subnet` parameter.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Symantec Web Gateway 5.0.2.8
No auth needed
Prerequisites: Network access to the target's HTTP service
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Unknown, muts, sinn3r · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/symantec_web_gateway_lfi.rb

This Metasploit module exploits a directory traversal vulnerability in Symantec Web Gateway 5.0.2.8 to achieve remote code execution by injecting PHP code into the access log and then loading it via a traversal flaw.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Symantec Web Gateway 5.0.2.8
No auth needed
Prerequisites: Access to the target's HTTP service · Target must be running Symantec Web Gateway 5.0.2.8
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/53444
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/75731

Scores

EPSS 0.8946
EPSS Percentile 99.6%

Details

VulnCheck KEV 2023-12-06
CWE
CWE-264
Status published
Products (3)
symantec/web_gateway 5.0
symantec/web_gateway 5.0.1
symantec/web_gateway 5.0.2
Published May 21, 2012
Tracked Since Feb 18, 2026