CVE-2012-10062
HIGHXAMPP 1.7.3 - RCE
Title source: llmDescription
A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. The WebDAV service, accessible via /webdav/, accepts HTTP PUT requests using default credentials. This permits attackers to upload a malicious PHP payload and trigger its execution via a subsequent GET request, resulting in remote code execution on the server.
Exploits (3)
exploitdb
WORKING POC
VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/18367
metasploit
WORKING POC
EXCELLENT
by theLightCosine, g0tmi1k · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/webdav_upload_php.rb
metasploit
WORKING POC
EXCELLENT
by theLightCosine · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/xampp_webdav_upload_php.rb
References (4)
Scores
CVSS v4
8.7
EPSS
0.5798
EPSS Percentile
98.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Details
CWE
CWE-306
CWE-434
Status
published
Products (1)
Apache Friends/XAMPP
< 1.7.3
Published
Aug 30, 2025
Tracked Since
Feb 18, 2026