CVE-2015-10141 | THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

Description

An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). This results in full compromise of the host under the privileges of the web server user.

Reserved 2025-07-22 | Published 2025-07-23 | Updated 2025-07-23 | Assigner VulnCheck

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-306 Missing Authentication for Critical Function

Product status

Default status

unaffected

*

affected

Credits

Ricter Zheng finder

References

xdebug.org/ product

kirtixs.com/...11/13/xpwn-exploiting-xdebug-enabled-servers/ technical-description

web.archive.org/...31226215418/https://paper.seebug.org/397/ technical-description

www.exploit-db.com/exploits/44568 exploit

www.fortiguard.com/encyclopedia/ips/46000 third-party-advisory

www.vulncheck.com/...te-debugger-unauth-os-command-execution third-party-advisory

cve.org (CVE-2015-10141)

nvd.nist.gov (CVE-2015-10141)

Download JSON

https://cve.threatint.eu/CVE/CVE-2015-10141

Support options

Helpdesk Chat, Email, Knowledgebase