PHP Xdebug Module Unauthenticated RCE (exploit)

critical Nessus Plugin ID 112210


The remote web server has a PHP debugging extension loaded that is affected by a remote command execution vulnerability.


The PHP Xdebug module installed on the remote host is configured in a vulnerable manner and is less than or equal to version 2.5.5.
Therefore, it is vulnerable to a remote command execution vulnerability. A remote, unauthenticated attacker can leverage this issue to execute arbitrary commands on the remote host.


Upgrade to Xdebug version 2.60 or later. Additionally, the following line may be removed from the Xdebug configuration:
xdebug.remote_connect_back= true

See Also

Plugin Details

Severity: Critical

ID: 112210

File Name: xdebug_unauth_rce.nbin

Version: 1.50

Type: remote

Family: CGI abuses

Published: 8/31/2018

Updated: 3/19/2024

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: Unauthenticated system-level access.


Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: manual


Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: x-cpe:/a:xdebug:xdebug

Excluded KB Items: Settings/disable_cgi_scanning

Exploited by Nessus: true

Patch Publication Date: 11/13/2015

Vulnerability Publication Date: 11/13/2015