CVE-2012-2924

Hypermethod eLearning Server 4G - RCE

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-2924. PoCs published by Andrey Komarov.

AI-analyzed exploit summary The exploit demonstrates SQL injection via the 'nid' parameter in news.php4 and a remote file inclusion vulnerability in admin/setup.inc.php. Both vulnerabilities allow unauthorized access or execution of arbitrary code.

Description

PHP remote file inclusion vulnerability in admin/setup.inc.php in Hypermethod eLearning Server 4G allows remote attackers to execute arbitrary PHP code via a URL in the path parameter.

Exploits (1)

exploitdb WORKING POC

by Andrey Komarov · textwebappsphp

https://www.exploit-db.com/exploits/18858

View Code ZIP pw:eip

The exploit demonstrates SQL injection via the 'nid' parameter in news.php4 and a remote file inclusion vulnerability in admin/setup.inc.php. Both vulnerabilities allow unauthorized access or execution of arbitrary code.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: eLearning Server 4G

No auth needed

Prerequisites: Network access to the target server · Target running eLearning Server 4G

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/18858

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/75514

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://www.osvdb.org/81831

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/53472

Scores

EPSS 0.0256

EPSS Percentile 83.0%

Details

CWE

CWE-94

Status published

Products (1)

hypermethod/elearning_server 4g

Published May 21, 2012

Tracked Since Feb 18, 2026