CVE-2012-10062: 
XAMPP vulnerability analysis and mitigation

A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. The vulnerability was disclosed on August 30, 2025. The WebDAV service, accessible via /webdav/, accepts HTTP PUT requests using default credentials (NVD, VulnCheck).

The vulnerability stems from a combination of unrestricted file upload capability and missing authentication controls in the WebDAV service. The service accepts HTTP PUT requests with default credentials, allowing attackers to upload malicious PHP payloads. These payloads can then be executed via subsequent GET requests to achieve remote code execution on the server. The vulnerability has been assigned a CVSS v4.0 score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (VulnCheck).

The successful exploitation of this vulnerability allows attackers to execute arbitrary PHP code on the affected server, potentially leading to complete system compromise. The attacker can upload malicious PHP files and execute them through the WebDAV interface, effectively gaining remote code execution capabilities (NVD).

To mitigate this vulnerability, administrators should change the default WebDAV credentials, disable WebDAV if not required, or upgrade to a newer version of XAMPP. Additionally, implementing proper access controls and authentication mechanisms for the WebDAV service is recommended (Apache Friends).