CVE-2012-2311

EXPLOITED

PHP < 5.3.13 and 5.4.x < 5.4.3 - Remote Code Execution via CGI Query String

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2012-2311 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits.

AI-analyzed exploit summary This exploit leverages PHP CGI argument injection (CVE-2012-1823) by sending a crafted HTTP POST request with malicious query string parameters to enable remote code execution via PHP directives. The payload prepends arbitrary PHP code (phpinfo() in this case) to the executed script.

Description

sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.

Exploits (4)

exploitdb WORKING POC
pythonremotephp
https://www.exploit-db.com/exploits/18836

This exploit leverages PHP CGI argument injection (CVE-2012-1823) by sending a crafted HTTP POST request with malicious query string parameters to enable remote code execution via PHP directives. The payload prepends arbitrary PHP code (phpinfo() in this case) to the executed script.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: PHP CGI (versions before 5.3.12 and 5.4.2)
No auth needed
Prerequisites: PHP CGI mode enabled · Target server exposed to network requests
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
rubyremotephp
https://www.exploit-db.com/exploits/18834

This Metasploit module exploits CVE-2012-1823, a PHP CGI argument injection vulnerability, by leveraging the -d flag to manipulate php.ini directives and achieve remote code execution. It sends a crafted POST request with malicious PHP code in the body, which is executed due to the misconfigured directives.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PHP up to 5.3.12 and 5.4.2 (when run as CGI)
No auth needed
Prerequisites: Target must be running PHP as a CGI binary · Access to a CGI-handled PHP script
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
pythonremotephp
https://www.exploit-db.com/exploits/29316

This Python script exploits CVE-2012-2311, a remote code execution vulnerability in PHP CGI configurations. It crafts a malicious HTTP POST request to trigger command execution via PHP's CGI mode, supporting both direct command execution and reverse shell payloads.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PHP CGI (versions 5.x with vulnerable configurations)
No auth needed
Prerequisites: PHP CGI mode enabled · Exposed PHP CGI binary via web server
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
cremotephp
https://www.exploit-db.com/exploits/29290

This exploit targets a vulnerability in PHP CGI (CVE-2012-2311) by bypassing security checks via the -d flag to execute arbitrary PHP code. It sends a crafted POST request to the PHP CGI binary, allowing remote code execution through a reverse shell payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PHP CGI (versions prior to 5.3.12 and 5.4.2)
No auth needed
Prerequisites: PHP CGI installed and accessible via /cgi-bin/php or /cgi-bin/php5 · Network access to the target server
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (17)

Core 17
Core References
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=134012830914727&w=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1027022
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/49014
Vendor Advisory x_refsource_confirm
https://bugs.php.net/bug.php?id=61910
Vendor Advisory x_refsource_confirm
http://www.php.net/archive/2012.php#id2012-05-08-1
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT5501
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/520827
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2012/dsa-2465
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/49085
Vendor Advisory x_refsource_confirm
http://www.php.net/ChangeLog-5.php#5.4.3

Scores

EPSS 0.7453
EPSS Percentile 98.9%

Details

VulnCheck KEV 2012-05-09
CWE
CWE-89
Status published
Products (46)
php/php 1.0
php/php 2.0
php/php 2.0b10
php/php 3.0
php/php 3.0.1
php/php 3.0.2
php/php 3.0.3
php/php 3.0.4
php/php 3.0.5
php/php 3.0.6
... and 36 more
Published May 11, 2012
Tracked Since Feb 18, 2026