CVE-2020-5849

HIGH KEV

unraid 6.8.0 - Authentication Bypass

Title source: llm

Exploitation Summary

CVE-2020-5849 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 2 public exploits from researchers including Metasploit, Nicolas CHATELAIN <[email protected]>, including a Metasploit module exploits/linux/http/unraid_auth_bypass_exec.

AI-analyzed exploit summary This Metasploit module exploits CVE-2020-5849, an authentication bypass in Unraid 6.8.0, followed by arbitrary PHP code execution via insecure use of the `extract` function. It leverages a GET request with crafted parameters to achieve remote code execution as root.

Description

Unraid 6.8.0 allows authentication bypass.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotelinux

https://www.exploit-db.com/exploits/48353

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-5849, an authentication bypass in Unraid 6.8.0, followed by arbitrary PHP code execution via insecure use of the `extract` function. It leverages a GET request with crafted parameters to achieve remote code execution as root.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Unraid 6.8.0

No auth needed

Prerequisites: Network access to the Unraid web interface · Unraid version 6.8.0

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Nicolas CHATELAIN <[email protected]> · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/unraid_auth_bypass_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-5849, an authentication bypass in Unraid 6.8.0, combined with an insecure PHP `extract` function usage to achieve remote code execution as root. It sends a crafted GET request to inject PHP code via URI-encoded payloads.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Unraid 6.8.0

No auth needed

Prerequisites: Network access to the Unraid web interface · Unraid version 6.8.0

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 23, 2026 Full analysis →

References (5)

Core 5

Core References

Third Party Advisory x_refsource_misc

https://sysdream.com/news/lab/

Release Notes, Vendor Advisory x_refsource_misc

https://forums.unraid.net/forum/7-announcements/

Broken Link, Exploit, Third Party Advisory x_refsource_misc

https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/157275/Unraid-6.8.0-Authentication-Bypass-Arbitrary-Code-Execution.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5849

Scores

CVSS v3 7.5

EPSS 0.9376

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact partial

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-11-03

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2020-27003

CWE

CWE-697

Status published

Products (1)

unraid/unraid 6.8.0 (2 CPE variants)

Published Mar 16, 2020

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026