Yellow Bricks

by Duncan Epping

Xampp For Windows 746 Exploit Jun 2026

XAMPP is a widely used, open-source web server solution stack developed by Apache Friends. It bundles Apache HTTP Server, MariaDB, PHP, and Perl into a single package, allowing developers to set up a local web server environment quickly.

The mitigation for such exploits is multi-layered. First, and most importantly, software must be kept up to date. Modern versions of XAMPP have addressed these issues by securing default configurations and running services with lower privileges. Second, the principle of least privilege must be enforced. Web servers should never run as SYSTEM or Administrator; they should run as a dedicated user with permission only to read web files, not to write to system directories. Finally, disabling dangerous PHP functions (like shell_exec , passthru , and exec ) can break the chain of exploitation, preventing a web shell from interacting with the operating system.

: The xampp-control.ini contains an entry for the text editor, which is set by default to notepad.exe . An attacker can modify this entry. For example, they can change it from Editor=notepad.exe to point to their own malicious executable, say: Editor=C:\Users\Public\malicious.bat or C:\path\to\shell.exe . xampp for windows 746 exploit

Historically, attackers have targeted several areas of a default XAMPP installation:

: Within 48 hours of the exploit being public, ransomware groups like TellYouThePass began using it to encrypt servers and demand payments of approximately 0.1 BTC (~$6,700). It was also used to deploy botnets like Muhstik and cryptocurrency miners. The Control Panel Privilege Escalation (CVE-2020-11107) XAMPP is a widely used, open-source web server

Change Require local to Require ip 192.168.1.0/24 (your LAN) or Require ip ::1 (only localhost).

If you want to know how to specifically patch or if you need to know how to check if your current XAMPP version is vulnerable to the WebDAV attack , I can provide those details. GitHub - heartburn-dev/XampPWN-WebDav-File-Upload-Exploit First, and most importantly, software must be kept

A detailed analysis of a public proof-of-concept (PoC) for this vulnerability reveals the technical simplicity of the attack. Below is a typical sequence of an attack:

A specific exploit (nicknamed "746") targets the XAMPP Control Panel's sendFeedback() function. If the control panel is exposed remotely (via port 8080 by default), an attacker injects a command via the $email parameter, writing a PowerShell script into the startup folder.