CVE-2012-2336

EXPLOITED

PHP < 5.3.13 and 5.4.x < 5.4.3 - Denial of Service via Malformed CGI Query String

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2012-2336 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including kingcope, rayh4c, Metasploit.

AI-analyzed exploit summary This exploit targets a vulnerability in PHP CGI (CVE-2012-2311) by bypassing security checks via command-line arguments (-d) to execute arbitrary PHP code. It sends a crafted POST request to the PHP CGI binary, disabling security settings and executing a reverse shell payload.

Description

sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.

Exploits (4)

exploitdb WORKING POC VERIFIED
by kingcope · cremotephp
https://www.exploit-db.com/exploits/29290

This exploit targets a vulnerability in PHP CGI (CVE-2012-2311) by bypassing security checks via command-line arguments (-d) to execute arbitrary PHP code. It sends a crafted POST request to the PHP CGI binary, disabling security settings and executing a reverse shell payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PHP CGI (versions prior to 5.3.12 and 5.4.2)
No auth needed
Prerequisites: PHP CGI installed and accessible via /cgi-bin/php or /cgi-bin/php5 · Network access to the target server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by rayh4c · pythonremotephp
https://www.exploit-db.com/exploits/18836

This exploit leverages PHP CGI argument injection (CVE-2012-1823) by sending a crafted HTTP POST request with malicious query parameters to enable remote code execution via PHP directives. The payload prepends arbitrary PHP code (phpinfo() in this case) to demonstrate the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: PHP CGI (versions before 5.3.12 and 5.4.2)
No auth needed
Prerequisites: PHP CGI mode enabled · Network access to the target server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/18834

This exploit leverages a PHP CGI argument injection vulnerability (CVE-2012-1823) to achieve remote code execution by manipulating PHP directives via the -d flag. It sends a crafted POST request with malicious PHP code in the body, exploiting improper handling of query strings.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PHP up to 5.3.12 and 5.4.2 (when run as CGI)
No auth needed
Prerequisites: Target must be running PHP as a CGI binary · Access to a CGI-handled PHP script
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by noptrix · pythonremotephp
https://www.exploit-db.com/exploits/29316

This exploit targets a vulnerability in Apache with PHP 5.* via CGI misconfiguration, allowing remote code execution. It includes functionality for vulnerability scanning, command execution, and reverse shell establishment.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache with PHP 5.* (CGI misconfiguration)
No auth needed
Prerequisites: Apache with PHP 5.* configured as CGI · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/49014
Vendor Advisory x_refsource_confirm
https://bugs.php.net/bug.php?id=61910
Vendor Advisory x_refsource_confirm
http://www.php.net/archive/2012.php#id2012-05-08-1
Vendor Advisory x_refsource_confirm
http://www.php.net/ChangeLog-5.php#5.4.3

Scores

EPSS 0.4733
EPSS Percentile 97.8%

Details

VulnCheck KEV 2018-01-15
CWE
CWE-20
Status published
Products (46)
php/php 1.0
php/php 2.0
php/php 2.0b10
php/php 3.0
php/php 3.0.1
php/php 3.0.2
php/php 3.0.3
php/php 3.0.4
php/php 3.0.5
php/php 3.0.6
... and 36 more
Published May 11, 2012
Tracked Since Feb 18, 2026