Threats / PHPUnit / CVE-2017-9841
CVE-2017-9841
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-16
PHPUnit vulnerability
PHPUnit versions allow remote code execution through the eval-stdin.php utility when the vendor directory is publicly accessible, enabling attackers to execute arbitrary PHP code via crafted POST requests.
Verdict
Today item — known-exploited.
An exposed PHPUnit vendor directory permits unauthenticated remote attackers to execute arbitrary PHP code on the server. This is a critical vulnerability affecting any deployment with publicly accessible vendor files, particularly in development or misconfigured production environments.
01
Is it exploitable?
— the evidence, ranked above the scoreExploit available
Fully weaponized — public exploit code is cataloged for this vulnerability.We link the existence of the exploit; we do not host or redistribute payloads.
Reported exploitation
1252 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-02-15).
Probability (EPSS)
EPSS 0.99999 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: PHPUnit, PHPUnit. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-94 Code Injection — weakness family: Injection.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No threat-actor attribution is established from the public feed for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I discover the target has a publicly accessible vendor directory through directory enumeration or common path scanning.
Business
Reconnaissance reveals the organization has failed to restrict access to development dependencies, indicating weak deployment security practices.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I craft an HTTP POST request to eval-stdin.php containing PHP code prefixed with '?php ' to bypass input validation.
Business
The application processes untrusted input without proper sandboxing, allowing code injection at the interpreter level.
3
Lateral reach — past segmentation narrative 3
Attacker
I execute arbitrary PHP commands with the privileges of the web server process, gaining full application and system access.
Business
Complete compromise of the application server, data stores, and potential lateral movement to internal infrastructure.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05
Coverage & confidence
— what we know, and what we don’tEstablished (cited)
Coverage gaps — stated, not hidden
Disclosure & credit2
Catalogued by mitreCNA
Credited with finding itNo finder named in the public CVE record — the work behind this find is unattributed.