QwikSec

Security Database

CVE

CWE

Training

CVE-2015-10141

Published: Jul 23, 2025

Modified: May 15, 2026

PUBLISHED

Description

An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). This results in full compromise of the host under the privileges of the web server user.

Vendor	Product	Versions
Xdebug	Xdebug	affected `0 - <= 2.5.5`

Weaknesses (CWE)

References

https://xdebug.org/

product

https://kirtixs.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/

technical-description

http://web.archive.org/web/20231226215418/https://paper.seebug.org/397/

technical-description

https://www.exploit-db.com/exploits/44568

exploit

https://www.fortiguard.com/encyclopedia/ips/46000

third-party-advisory

https://www.vulncheck.com/advisories/xdebug-remote-debugger-unauth-os-command-execution

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.