A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. The WebDAV service, accessible via /webdav/, accepts HTTP PUT requests using default credentials. This permits attackers to upload a malicious PHP payload and trigger its execution via a subsequent GET request, resulting in remote code execution on the server.
Security readout for executives and security teams
Plain-English summary
This issue affects XAMPP 1.7.3 when its default WebDAV setup is exposed and protected only by default credentials. An attacker with those credentials could place PHP content where the server executes it, leading to remote code execution. The provided sources do not show CISA KEV listing or confirmed active exploitation.
Executive priority
Treat this as high priority if XAMPP 1.7.3 is exposed beyond trusted networks. The business risk is full server compromise from a legacy development stack configuration. If XAMPP is not deployed or WebDAV is internal and hardened, urgency drops.
Technical view
The source bundle describes a WebDAV configuration weakness in Apache Friends XAMPP 1.7.3. The /webdav/ endpoint accepts authenticated PUT requests using default credentials, allowing arbitrary PHP upload and execution by the web server. The record maps to CWE-306 and CWE-434 and carries CVSS 4.0 score 8.7.
Likely exposure
Most likely exposure is old XAMPP 1.7.3 development, lab, or forgotten internet-facing servers with /webdav/ enabled and default credentials unchanged. The affected-product data is incomplete and lists no CPEs, so asset validation is required.
Exploitation context
Public exploit references exist in Metasploit and Exploit-DB, indicating known reproducible attack logic. However, the bundle marks KEV as false and provides no cited evidence of active exploitation in the wild.
Researcher notes
The CVE record and bundle contain an affected-version inconsistency: the description names XAMPP 1.7.3, while the affected array lists version 0 with defaultStatus unaffected. Validate against observed configuration rather than relying only on CPE matching.
Mitigation direction
Identify any XAMPP 1.7.3 instances, especially internet-facing systems.
Disable or remove WebDAV exposure where it is not required.
Replace default WebDAV credentials with unique, strong credentials.
Restrict /webdav/ access to trusted networks only.
Check Apache Friends and VulnCheck guidance; no patched version is named here.
Validation and detection
Inventory hosts running XAMPP and confirm version 1.7.3 exposure.
Check whether /webdav/ is reachable from untrusted networks.
Review WebDAV authentication for default or shared credentials.
Inspect web-accessible WebDAV directories for unexpected PHP files.
Review web logs for suspicious WebDAV writes and PHP access.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-306: Credential and account abuse lookup
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
CWE-434: File access and web shell behavior lookup
File traversal and upload weaknesses can lead teams to review file, web shell, execution, and collection telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
5Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-306 · source CWE mapping
Missing Authentication for Critical Function
Missing Authentication for Critical Function represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Unrestricted Upload of File with Dangerous Type represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.