The vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php exploit is not a "zero-day" or a complex vulnerability; it is a caused by deploying development tools to production.
, a vulnerability tucked away in the PHPUnit testing framework. This story isn't just about a bug; it's about how a tiny utility script designed for testing became one of the most exploited backdoors on the internet. The Unintended Backdoor
NIST: NVD. Base Score: 7.5 HIGH. Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) National Institute of Standards and Technology (.gov) vendor phpunit phpunit src util php eval-stdin.php exploit
with rules to block eval-stdin.php and php://input abuse. Example ModSecurity rule:
The exploit targeting vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php The vendor/phpunit/phpunit/src/Util/PHP/eval-stdin
Maya traced the infection path. The attacker uploaded a web shell, then moved laterally through an old NFS mount. They didn't touch production—yet. But they had credentials. Database dumps. API keys for the sandbox environment.
This code takes whatever data is sent in the body of an and executes it directly as PHP. Key Technical Details Scanning for CVE-2017-9841 Drops Precipitously | F5 Labs The Unintended Backdoor NIST: NVD
CVE-2017-9841 (Primary), related to component usage. Affected Component: <phpunit>/src/Util/PHP/eval-stdin.php Severity: Critical (CVSS 9.8) Affected Versions: PHPUnit before 4.8.28 and 5.x before 5.6.3.
Attackers scan the internet (or specific targets) looking for the specific path of this file. Once found, they send a POST request containing the payload.