This vulnerability typically manifests in production environments when development tools are incorrectly exposed to the internet. Common causes include: CVE-2017-9841 Detail - NVD
Understanding CVE-2017-9841: The Critical Vendor/PHPUnit eval-stdin.php Vulnerability (2026 Update)
rm vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
The , targeted by a joint FBI and CISA advisory , has integrated the exploitation of CVE-2017-9841 into its arsenal. This Python-based malware focuses on credential exfiltration, particularly from .env files storing sensitive credentials for cloud services like AWS, Office 365, and Twilio. The malware also builds botnets using exploited systems for reconnaissance and further attacks. This malware exploits both CVE-2017-9841 (PHPUnit) and other critical vulnerabilities like CVE-2021-41773 (Apache HTTP Server). vendor phpunit phpunit src util php eval-stdin.php cve
An attacker simply sends a POST request to:
: The script lacked identity checks, login gates, or access rules. Anyone who could reach the file could run code through it.
<?php $input = file_get_contents('php://stdin'); if (strpos($input, '<?php') === 0) eval(substr($input, 5)); // Execute any PHP code passed in the request body The malware also builds botnets using exploited systems
The critical oversight: No authentication, no IP whitelisting, no php_sapi_name() check to ensure it runs via CLI. When exposed to a web server, it transforms into an unrestricted RCE gadget.
If this script is accidentally exposed to the web (e.g., placed in a publicly accessible vendor/ directory), an attacker can send arbitrary PHP code via POST data or request body. The script will execute that code with the privileges of the web server.
<?php eval('?>' . file_get_contents('php://stdin')); Anyone who could reach the file could run code through it
Exploiting a server vulnerable to requires no specialized hacking toolsets. Attackers systematically sweep public IP ranges using basic automated HTTP clients. An execution request typically looks like this:
Threat actors use automated scanners to locate exposed server roots. They issue targeted HTTP requests directly to common installation subdirectories to confirm whether the PHPUnit testing package is publicly accessible. Sample Attack Payload
: This function executes any string passed to it as PHP code.
The eval-stdin.php script in PHPUnit contains the following code: