CVE-2015-10141
published 2025-07-23CVE-2015-10141: An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans…
PriorityP181critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
5.03%
91.2th percentile
An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). This results in full compromise of the host under the privileges of the web server user.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | xdebug | — | — |
| xdebug | xdebug | <= 2.5.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for inbound TCP connections to port 9000 from external/untrusted sources, which may indicate exploitation of the unauthenticated Xdebug remote debugger interface. ↗
- →Detect HTTP requests containing the query parameter XDEBUG_SESSION_START, which is used to initiate an Xdebug remote debugging session and is the first step of exploitation. ↗
- →Detect HTTP responses setting the XDEBUG_SESSION cookie, confirming the target has Xdebug remote debugging enabled and is susceptible to exploitation. ↗
- →Alert on the presence of the X-Forwarded-For header being set to an attacker-controlled callback URL in conjunction with XDEBUG_SESSION_START requests, as this is used to redirect the debugger connection to the attacker. ↗
- →Look for debugger protocol eval commands sent over port 9000 that invoke PHP system-level functions, indicating active code execution attempts. ↗
- →Use the Metasploit module unix/http/xdebug_unauth_exec to validate exposure; its presence in logs or IDS signatures can indicate active exploitation attempts. ↗
- ·Exploitation requires Xdebug remote debugging to be explicitly enabled; this is not a default configuration in production environments. ↗
- ·All Red Hat offerings ship fixed or unaffected versions of Xdebug and do not enable remote debugging by default, reducing real-world risk in those environments. ↗
- ·Debian distributions (bookworm, bullseye, forky, sid, trixie) remain open/unpatched for this CVE as of the tracker data; deployments on these distros should be treated as potentially vulnerable if Xdebug <= 2.5.5 is installed. ↗
CVSS provenance
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.3CRITICAL
vendor_debian9.3LOW
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-267w-63f8-m896: An unauthenticated OS command injection vulnerability exists within Xdebug versions 2
ghsa_unreviewed·2025-07-23
CVE-2015-10141 [CRITICAL] CWE-78 GHSA-267w-63f8-m896: An unauthenticated OS command injection vulnerability exists within Xdebug versions 2
An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). This results in full compromise of the host under the privileges of the web server user.
OSV
CVE-2015-10141: An unauthenticated OS command injection vulnerability exists within Xdebug versions 2
osv·2025-07-23·CVSS 9.3
CVE-2015-10141 [CRITICAL] CVE-2015-10141: An unauthenticated OS command injection vulnerability exists within Xdebug versions 2
An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). This results in full compromise of the host under the privileges of the web server user.
Red Hat
xdebug: Xdebug Remote Debugger Command Execution
vendor_redhat·2025-07-23·CVSS 9.3
CVE-2015-10141 [CRITICAL] CWE-306 xdebug: Xdebug Remote Debugger Command Execution
xdebug: Xdebug Remote Debugger Command Execution
An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). This results in full compromise of the host under the privileges of the web server user.
A code injection flaw was found in Xdebug. When a user enables remote debugging, Xdebug does not require authentication and will accept input from any user who can access the debug port. Enabling remote debuggi
Debian
CVE-2015-10141: xdebug - An unauthenticated OS command injection vulnerability exists within Xdebug versi...
vendor_debian·2015·CVSS 9.3
CVE-2015-10141 [CRITICAL] CVE-2015-10141: xdebug - An unauthenticated OS command injection vulnerability exists within Xdebug versi...
An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). This results in full compromise of the host under the privileges of the web server user.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
Nuclei
Xdebug <= 2.5.5 - Command Injection
nuclei·CVSS 9.3
CVE-2015-10141 [CRITICAL] Xdebug <= 2.5.5 - Command Injection
Xdebug <= 2.5.5 - Command Injection
Xdebug <= 2.5.5 contains an unauthenticated command injection caused by accepting debugger protocol commands without authentication when remote debugging is enabled, letting remote attackers execute arbitrary PHP code and system commands, exploit requires remote debugging enabled.
Template:
id: CVE-2015-10141
info:
name: Xdebug <= 2.5.5 - Command Injection
author: pwnhxl
severity: critical
description: |
Xdebug <= 2.5.5 contains an unauthenticated command injection caused by accepting debugger protocol commands without authentication when remote debugging is enabled, letting remote attackers execute arbitrary PHP code and system commands, exploit requires remote debugging enabled.
impact: |
Attackers can execute arbitrary PHP code and system commands
Metasploit
xdebug Unauthenticated OS Command Execution
metasploit
xdebug Unauthenticated OS Command Execution
xdebug Unauthenticated OS Command Execution
Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below. This allows the attacker to execute arbitrary php code as the context of the web user.
No writeups or analysis indexed.
http://web.archive.org/web/20231226215418/https://paper.seebug.org/397/https://kirtixs.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/https://www.exploit-db.com/exploits/44568https://www.fortiguard.com/encyclopedia/ips/46000https://www.vulncheck.com/advisories/xdebug-remote-debugger-unauth-os-command-executionhttps://xdebug.org/
2025-07-23
Published