CVE-2020-13942

Exploitation Summary

CVE-2020-13942 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 9 public exploits from researchers including eugenebmx, shifa123, lp008. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides proof-of-concept exploits for CVE-2020-13942, targeting Apache Unomi via MVEL and OGNL injection to achieve remote code execution. The PoC includes HTTP requests and curl commands to trigger the vulnerability.

Description

It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.

Exploits (9)

nomisec WORKING POC 28 stars

by eugenebmx · poc

https://github.com/eugenebmx/CVE-2020-13942

View Code ZIP pw:eip

This repository provides proof-of-concept exploits for CVE-2020-13942, targeting Apache Unomi via MVEL and OGNL injection to achieve remote code execution. The PoC includes HTTP requests and curl commands to trigger the vulnerability.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Unomi (versions prior to the fix)

No auth needed

Prerequisites: Access to the Unomi server's context.json endpoint

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec STUB 9 stars

by shifa123 · remote

https://github.com/shifa123/CVE-2020-13942-POC-

View Code ZIP pw:eip

The repository contains only a README with high-level steps for testing CVE-2020-13942 but lacks actual exploit code or automation scripts. It appears to be a placeholder or incomplete PoC.

Classification

Stub 30%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: Apache Unomi (versions before 1.5.2)

No auth needed

Prerequisites: list of target subdomains in targets.txt

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 6 stars

by lp008 · poc

https://github.com/lp008/CVE-2020-13942

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2020-13942, a pre-authentication remote code execution vulnerability in Apache Unomi. The exploit leverages a malicious JSON payload sent to the `/context.json` endpoint to execute arbitrary commands via JavaScript runtime injection.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Apache Unomi (versions before 1.5.1)

No auth needed

Prerequisites: Network access to the target Apache Unomi instance · Target must be running a vulnerable version of Apache Unomi

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 4 stars

by yaunsky · remote

https://github.com/yaunsky/Unomi-CVE-2020-13942

View Code ZIP pw:eip

This repository contains a Python-based exploit for CVE-2020-13942, targeting Apache Unomi's arbitrary code execution vulnerability via crafted MVEL/ONGL expressions. The PoC supports both direct command execution and reverse shell functionality.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Unomi < 1.5.2

No auth needed

Prerequisites: Network access to the target Unomi instance · Python 3 environment

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by blackmarketer · remote

https://github.com/blackmarketer/CVE-2020-13942

View Code ZIP pw:eip

This script exploits CVE-2020-13942, an Apache Unomi RCE vulnerability, by sending a malicious JSON payload via a POST request to execute arbitrary commands (e.g., 'id'). It checks for vulnerability by verifying the presence of the 'boom' string in the response.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Apache Unomi (versions before 1.5.2)

No auth needed

Prerequisites: List of target hosts in a text file · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by corsisechero · remote

https://github.com/corsisechero/CVE-2020-13942byVulHub

View Code ZIP pw:eip

This repository provides a working proof-of-concept exploit for CVE-2020-13942, an Expression Language Injection vulnerability in Apache Unomi 1.5.1. The exploit leverages MVEL expression injection to achieve remote code execution (RCE) via a crafted POST request.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Apache Unomi 1.5.1

No auth needed

Prerequisites: Docker environment for testing · Network access to the target Apache Unomi instance

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by Prodrious · poc

https://github.com/Prodrious/CVE-2020-13942

View Code ZIP pw:eip

This script exploits CVE-2020-13942, an Apache Unomi RCE vulnerability, by sending a malicious JSON payload via a POST request to execute arbitrary commands (e.g., 'id'). It checks for vulnerability by grepping for a specific response pattern.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Apache Unomi (versions before 1.5.2)

No auth needed

Prerequisites: Target host list in a text file · Network access to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by dev-team-12x · poc

https://github.com/dev-team-12x/apche_unomi_rce

View Code ZIP pw:eip

This repository contains a working proof-of-concept exploit for CVE-2020-13942, targeting Apache Unomi. It includes two RCE vectors (MVEL and OGNL injection) and a Perl script to automate exploitation.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Apache Unomi (versions prior to fix)

No auth needed

Prerequisites: Network access to the target Apache Unomi server

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/1135/unomi_exploit

View Code ZIP pw:eip

This repository provides functional exploit code for CVE-2020-13942, demonstrating OGNL and MVEL injection in Apache Unomi. The PoCs include HTTP requests that execute arbitrary commands via Runtime.exec(), with variations for Unicode encoding to bypass filters.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Unomi <= 1.5.1

No auth needed

Prerequisites: Network access to the target server · Apache Unomi instance running on port 8181

MITRE ATT&CK