A vulnerability in the Xerte Online Tools allows for RCE through the antivirus binary path in the tools server settings, which can be changed to a PHP interpreter, allowing an attacker to upload PHP data that will then be executed.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
Xerte Online Tools contains a critical remote code execution vulnerability (CVSS 9.8) that allows attackers to execute arbitrary PHP code by manipulating the antivirus binary path setting in the tools server configuration. An attacker with access to server settings can redirect this path to a PHP interpreter, then upload PHP files that execute with server privileges. This affects any organization deploying Xerte for online learning, training, or content management—particularly educational institutions and corporate training departments. The vulnerability is especially dangerous because it requires minimal exploitation complexity and provides immediate code execution capabilities that can lead to full system compromise.
While this CVE currently lacks mapped MITRE ATT&CK techniques and no Casky skills directly detect it, practitioners using Casky's AI-driven analysis would identify attack patterns through techniques like T1190 (Exploit Public-Facing Application), T1068 (Exploitation for Privilege Escalation), and T1059 (Command and Scripting Interpreter). Extended reasoning across Casky's 754 security skills would reveal suspicious behavioral chains: configuration changes to executable paths, unexpected file uploads to web-accessible directories, and PHP interpreter invocations from non-standard locations. A practitioner reviewing findings would see anomalous server settings modifications paired with web shell upload attempts—indicators that correlate to this exploitation pattern even before formal CVE mapping occurs.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-12116. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation