CVE-2020-35847

CRITICAL NUCLEI

Cockpit CMS NoSQLi to RCE

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2020-35847. PoCs published by w33vils, h00die, Nikita Petrov, including Metasploit module exploits/multi/http/cockpit_cms_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2020-35847 and CVE-2020-35848, targeting Cockpit CMS versions before 0.11.2. The exploit demonstrates NoSQL injection to enumerate users, extract password reset tokens, and reset passwords, leveraging the `/auth/resetpassword` and `/auth/newpassword` endpoints.

Description

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.

Exploits (3)

nomisec WORKING POC
by w33vils · poc
https://github.com/w33vils/CVE-2020-35847_CVE-2020-35848

This repository contains a functional Python exploit for CVE-2020-35847 and CVE-2020-35848, targeting Cockpit CMS versions before 0.11.2. The exploit demonstrates NoSQL injection to enumerate users, extract password reset tokens, and reset passwords, leveraging the `/auth/resetpassword` and `/auth/newpassword` endpoints.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Cockpit CMS < 0.11.2
No auth needed
Prerequisites: Network access to the target Cockpit CMS instance · NoSQL injection vulnerability in the `/auth/resetpassword` and `/auth/newpassword` endpoints
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC
pythonwebappsmultiple
https://www.exploit-db.com/exploits/50185

This exploit demonstrates a NoSQL injection vulnerability in Cockpit CMS 0.11.1, allowing username enumeration and password reset token extraction via crafted JSON payloads. It leverages the `$func` operator to dump user data and reset tokens, then resets the target user's password.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Cockpit CMS 0.11.1
No auth needed
Prerequisites: Target URL · Network access to the application
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC NORMAL
by h00die, Nikita Petrov · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/cockpit_cms_rce.rb

This Metasploit module exploits CVE-2020-35847 and CVE-2020-35846 in Cockpit CMS, chaining NoSQL injection to extract user data and reset tokens, followed by command injection for RCE. It automates user enumeration, password reset, and payload execution without disk writes.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cockpit CMS 0.10.0 - 0.11.1
No auth needed
Prerequisites: Network access to target · Cockpit CMS vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Agentejo Cockpit <0.11.2 - NoSQL Injection
CRITICALVERIFIEDby dwisiswant0
Shodan: http.favicon.hash:688609340 || http.html:"cockpit"
FOFA: icon_hash=688609340 || body="cockpit"

References (6)

Core 6

Scores

CVSS v3 9.8
EPSS 0.9397
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
agentejo/cockpit < 0.11.2
Published Dec 30, 2020
Tracked Since Feb 18, 2026