PHP Xdebug Module Unauthenticated RCE (exploit)

Critical Nessus Plugin ID 112210


The remote web server has a PHP debugging extension loaded that is affected by a remote command execution vulnerability.


The PHP Xdebug module installed on the remote host is configured in a vulnerable manner and is less than or equal to version 2.5.5.
Therefore, it is vulnerable to a remote command execution vulnerability. A remote, unauthenticated attacker can leverage this issue to execute arbitrary commands on the remote host.


Upgrade to Xdebug version 2.60 or later. Additionally, the following line may be removed from the Xdebug configuration:
xdebug.remote_connect_back= true

See Also

Plugin Details

Severity: Critical

ID: 112210

File Name: xdebug_unauth_rce.nbin

Version: 1.8

Type: remote

Family: CGI abuses

Published: 2018/08/31

Updated: 2019/03/18

Dependencies: 10662

Risk Information

Risk Factor: Critical

CVSS Score Source: manual

CVSS Score Rationale: Unauthenticated system-level access.

CVSS v2.0

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: x-cpe:/a:xdebug:xdebug

Exploited by Nessus: true

Patch Publication Date: 2015/11/13

Vulnerability Publication Date: 2015/11/13