CVE-2020-11108: Pi-Hole heisenbergCompensator Blocklist OS Command Execution

Exploitation Summary

EIP tracks 6 public exploits for CVE-2020-11108. PoCs published by Photubias, Metasploit, Nick Frichette, including Metasploit module exploits/unix/http/pihole_blocklist_exec.

AI-analyzed exploit summary This exploit targets CVE-2020-11108, a vulnerability in Pi-hole <=4.4.0 + Web <=4.3.3, allowing authenticated remote code execution via command injection in the blocklist settings. It creates a backdoor PHP file and triggers execution via a crafted request.

Description

The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing to a PHP file in the web directory. (Also, it can be used in conjunction with the sudo rule for the www-data user to escalate privileges to root.) The code error is in gravity_DownloadBlocklistFromUrl in gravity.sh.

Exploits (6)

exploitdb WORKING POC VERIFIED

by Photubias · pythonwebappslinux

https://www.exploit-db.com/exploits/48519

View Code ZIP pw:eip

This exploit targets CVE-2020-11108, a vulnerability in Pi-hole <=4.4.0 + Web <=4.3.3, allowing authenticated remote code execution via command injection in the blocklist settings. It creates a backdoor PHP file and triggers execution via a crafted request.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pi-hole <=4.4.0 + Web <=4.3.3

Auth required

Prerequisites: Authenticated access to Pi-hole admin interface · Network connectivity to the target · Listener set up on attacker's machine

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/48491

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-11108 in Pi-Hole <= 4.4 by adding a malicious blocklist, forcing a gravity update to write a PHP backdoor, and escalating privileges via teleporter.php. It achieves remote code execution with root privileges.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pi-Hole <= 4.4

Auth required

Prerequisites: Network access to Pi-Hole admin interface · Valid credentials if authentication is enabled · Web server port 80 accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Nick Frichette · pythonwebappslinux

https://www.exploit-db.com/exploits/48443

View Code ZIP pw:eip

This exploit targets Pi-hole <= 4.4 by leveraging an authenticated RCE vulnerability. It uses a multi-stage payload to upload and execute a reverse shell via PHP code injection in the blocklist settings.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pi-hole <= 4.4

Auth required

Prerequisites: Authenticated session cookie · Target URL · Attacker-controlled IP and port for reverse shell · Root privileges to bind to port 80

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Nick Frichette · pythonwebappslinux

https://www.exploit-db.com/exploits/48442

View Code ZIP pw:eip

This exploit targets Pi-hole <= 4.4 by leveraging an authenticated RCE vulnerability (CVE-2020-11108) via a malicious blocklist URL to upload and execute a PHP payload, resulting in a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pi-hole <= 4.4

Auth required

Prerequisites: Authenticated session cookie · Target URL · Attacker-controlled IP and port · Root privileges for port 80 binding

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 27 stars

by Frichetten · poc

https://github.com/Frichetten/CVE-2020-11108-PoC

View Code ZIP pw:eip

This repository contains two Python scripts demonstrating remote code execution (RCE) in Pi-hole <= 4.4 via CVE-2020-11108. The first script achieves a reverse shell as www-data, while the second escalates privileges to root by overwriting teleporter.php.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pi-hole <= 4.4

Auth required

Prerequisites: Authenticated session cookie · Target URL · Attacker-controlled IP and port for reverse shell · Root privileges on attacker machine for port 80 binding

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by h00die, Nick Frichette · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/pihole_blocklist_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-11108 in Pi-Hole <= 4.4 by adding a malicious blocklist, forcing a gravity update to write PHP payloads to the webroot, and achieving root privilege escalation via teleporter.php.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pi-Hole <= 4.4

Auth required

Prerequisites: Network access to Pi-Hole admin interface · Valid credentials if authentication is enabled

MITRE ATT&CK