Vendor Phpunit Phpunit Src Util Php Eval-stdin.php Exploit Jun 2026

"Who keeps PHPUnit in production?" she muttered.

Despite being discovered in 2017, this exploit is frequently used in modern attacks, often linked to the malware, which actively targets vulnerable cloud applications.

192.168.1.100 - - [12/May/2025:10:23:45 +0000] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 200 1234

When developers deploy applications via tools like Composer, the vendor directory is created. If the vendor folder is accidentally exposed to the public web root ( public_html or www ), anyone can send an HTTP POST request to this file. A typical exploit payload looks like this: vendor phpunit phpunit src util php eval-stdin.php exploit

planted by attackers.

Not entirely true. If your web root is set to the project root (and not specifically /public ), and URL rewriting is misconfigured, direct access to .php files inside vendor/ may still be possible.

A single command is useful, but persistence is key. An attacker would deliver a second-stage payload to write a permanent webshell: "Who keeps PHPUnit in production

Several factors contribute to its persistence:

Look for encoded or plaintext PHP functions like system , exec , passthru , shell_exec , file_put_contents , base64_decode , or eval .

An attacker with RCE capabilities can:

Not by default. Many .htaccess or nginx configurations do not explicitly block access to the vendor/ folder, assuming it contains only PHP classes. This is a fatal assumption.

Common vulnerable path variants include: