CVE-2020-5847

CRITICAL KEV NUCLEI

Unraid < 6.8.0 - Unauthenticated Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-5847 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 3 public exploits from researchers including tnpitsecurity, Nicolas CHATELAIN <[email protected]>, including a Metasploit module exploits/linux/http/unraid_auth_bypass_exec. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a detailed technical analysis of CVE-2020-5847, covering an authentication bypass via a whitelist flaw in `auth_request.php` and arbitrary code execution through variable overwriting using PHP's `extract` function. The writeup includes root cause analysis, exploit chain explanation, and affected versions.

Description

Unraid through 6.8.0 allows Remote Code Execution.

Exploits (3)

github WRITEUP 4 stars
by tnpitsecurity · poc
https://github.com/tnpitsecurity/CVEs/tree/master/CVE-2020-5847-5849

This is a detailed technical analysis of CVE-2020-5847, covering an authentication bypass via a whitelist flaw in `auth_request.php` and arbitrary code execution through variable overwriting using PHP's `extract` function. The writeup includes root cause analysis, exploit chain explanation, and affected versions.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unraid <= 6.8.0
No auth needed
Prerequisites: Network access to the Unraid web interface
devstral-2 · analyzed Feb 27, 2026 Full analysis →
exploitdb WORKING POC
rubyremotelinux
https://www.exploit-db.com/exploits/48353

This Metasploit module exploits CVE-2020-5847 and CVE-2020-5849 in Unraid 6.8.0, combining an authentication bypass with a PHP code execution vulnerability via insecure use of the `extract` function. It delivers a PHP payload encoded in base64 to achieve remote code execution as root.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unraid 6.8.0
No auth needed
Prerequisites: Network access to the Unraid web interface · Unraid version 6.8.0
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Nicolas CHATELAIN <[email protected]> · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/unraid_auth_bypass_exec.rb

This Metasploit module exploits CVE-2020-5847 and CVE-2020-5849 in Unraid 6.8.0, combining an authentication bypass with a PHP code execution vulnerability via insecure use of the `extract` function. It sends a crafted GET request to execute arbitrary PHP code as root.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unraid 6.8.0
No auth needed
Prerequisites: Network access to the Unraid web interface
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

UnRaid <=6.80 - Remote Code Execution
CRITICALby madrobot

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.9382
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-11-03
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2020-27001
Status published
Products (1)
unraid/unraid < 6.8.0 (2 CPE variants)
Published Mar 16, 2020
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026