Cyber Resilience

CVE-2017-9841

CriticalCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 27 June 2017

Published
27 June 2017
Modified
21 April 2026
KEV Added
15 February 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9421 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-9841 is a critical-severity Code Injection (CWE-94) vulnerability in Phpunit Project Phpunit. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2017-9841 is a remote code execution vulnerability in the Util/PHP/eval-stdin.php component of PHPUnit versions prior to 4.8.28 and 5.x prior to 5.6.3. The flaw stems from improper handling of HTTP POST input that begins with a "<?php " substring, which is passed directly to PHP evaluation, corresponding to CWE-94 code injection. It affects installations where the PHPUnit package is present under a web-accessible path such as an exposed /vendor directory.

Remote attackers with no authentication or user interaction can exploit the issue by sending crafted POST data to the eval-stdin.php URI, achieving arbitrary PHP code execution with the privileges of the web server process. The vulnerability carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and full impact on confidentiality, integrity, and availability.

The referenced GitHub commit and pull request, along with the archived PHPUnit advisory, indicate that the issue is resolved by upgrading to the fixed versions 4.8.28 or 5.6.3, which remove or restrict the eval-stdin.php functionality.

EU & UK References

Vulnerability details

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder,…

more

i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

CWE(s)
KEV Date Added
15 February 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

phpunit project
phpunit
≤ 4.8.27 · 5.0.0 — 5.6.3
oracle
communications diameter signaling router
8.0.0 — 8.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor-supplied patches (4.8.28 / 5.6.3) that remove the eval-stdin.php code path.

prevent

Mandates disabling or removing unnecessary software components such as the exposed eval-stdin.php script that enables unauthenticated code execution.

prevent

Enforces access-control policy on web-server paths so that even an unpatched PHPUnit installation cannot be reached via the /vendor/phpunit/.../eval-stdin.php URI.

References