CVE-2015-10141: 
Linux Debian vulnerability analysis and mitigation

An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. The vulnerability was disclosed in September 2017 (Seebug Paper, Kirtixs Blog).

The vulnerability occurs when xdebug.remoteconnectback is enabled, which allows any remote host to connect to the debug interface. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). The vulnerability has been assigned a CVSS v4.0 score of 9.3 CRITICAL with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (VulnCheck).

This vulnerability results in full compromise of the host under the privileges of the web server user. Attackers can execute arbitrary code, potentially leading to system compromise, data theft, and installation of backdoors (Fortiguard, Exploit DB).

To mitigate this vulnerability, administrators should either completely remove Xdebug from publicly reachable servers or update the xdebug configuration with the following settings: xdebug.remoteenable=false and xdebug.remoteconnect_back=false. For production environments, it is recommended not to enable remote debugging (Kirtixs Blog).