CVE-2015-6835

CRITICAL

Joomla HTTP Header Unauthenticated Remote Code Execution

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2015-6835. PoCs published by Taoguang Chen, ockeghem, Marc-Alexandre Montpas, Christian Mehlmauer, including Metasploit module exploits/multi/http/joomla_http_header_rce.

AI-analyzed exploit summary This exploit demonstrates a use-after-free vulnerability in PHP's session deserializer (CVE-2015-6835) by crafting a serialized string that manipulates ZVAL references, leading to arbitrary memory control and potential remote code execution.

Description

The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Taoguang Chen · textdosphp
https://www.exploit-db.com/exploits/38123

This exploit demonstrates a use-after-free vulnerability in PHP's session deserializer (CVE-2015-6835) by crafting a serialized string that manipulates ZVAL references, leading to arbitrary memory control and potential remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PHP 5.6 < 5.6.13, PHP 5.5 < 5.5.29, PHP 5.4 < 5.4.45
No auth needed
Prerequisites: PHP with vulnerable session deserializer · Ability to send crafted session data
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by ockeghem · poc
https://github.com/ockeghem/CVE-2015-6835-checker

This repository contains a functional PHP script demonstrating CVE-2015-6835, a PHP session deserialization vulnerability. The PoC exploits insecure session handling to trigger a destructive payload via crafted session data.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Reliable
Target: PHP (versions affected by CVE-2015-6835)
No auth needed
Prerequisites: PHP with vulnerable session handling enabled
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Marc-Alexandre Montpas, Christian Mehlmauer · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/joomla_http_header_rce.rb

This Metasploit module exploits an unauthenticated remote code execution vulnerability in Joomla (CVE-2015-8562) by leveraging PHP deserialization flaws in session handling. It crafts a malicious payload in HTTP headers, which is executed when the session is read from the database.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Joomla 1.5.0 to 3.4.5 with vulnerable PHP versions
No auth needed
Prerequisites: Target must be running Joomla 1.5.0 to 3.4.5 · PHP version must be vulnerable to deserialization flaws (pre-5.4.45, pre-5.5.29, or pre-5.6.13)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/76734
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1033548
Various Sources x_refsource_confirm
http://php.net/ChangeLog-5.php
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2015/dsa-3358
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201606-10
Various Sources x_refsource_confirm
https://bugs.php.net/bug.php?id=70219

Scores

CVSS v3 9.8
EPSS 0.2260
EPSS Percentile 96.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (30)
php/php 5.6.0 alpha1 (9 CPE variants)
php/php 5.6.1
php/php 5.6.2
php/php 5.6.3
php/php 5.6.4
php/php 5.6.5
php/php 5.6.6
php/php 5.6.7
php/php 5.6.8
php/php 5.6.9
... and 20 more
Published May 16, 2016
Tracked Since Feb 18, 2026