CVE-2020-8816

HIGH KEV

Pi-hole < 4.3.2 - Authenticated Remote Code Execution via DHCP Static Lease

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-8816 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 10, 2021. EIP tracks 6 public exploits from researchers including Luis Vacacas, cybervaca, AndreyRainchik, including a Metasploit module exploits/unix/http/pihole_dhcp_mac_exec.

AI-analyzed exploit summary This exploit leverages an authenticated command injection vulnerability in Pi-hole's DHCP settings page. It logs in, retrieves a CSRF token, and injects a reverse shell payload via the 'AddMAC' parameter.

Description

Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.

Exploits (6)

exploitdb WORKING POC
by Luis Vacacas · pythonwebappspython
https://www.exploit-db.com/exploits/48727

This exploit leverages an authenticated command injection vulnerability in Pi-hole's DHCP settings page. It logs in, retrieves a CSRF token, and injects a reverse shell payload via the 'AddMAC' parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Pi-hole >= 4.3.2
Auth required
Prerequisites: Valid credentials for Pi-hole admin panel · Network access to target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 11 stars
by cybervaca · remote-auth
https://github.com/cybervaca/CVE-2020-8816

This repository contains a functional Python exploit for CVE-2020-8816, a remote code execution vulnerability in Pi-hole versions >= 4.3.2. The exploit authenticates with the target, retrieves a session token, and injects a reverse shell payload via a command injection in the DHCP settings.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Pi-hole >= 4.3.2
Auth required
Prerequisites: Valid credentials for Pi-hole admin panel · Network access to the Pi-hole admin interface
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 10 stars
by AndreyRainchik · remote-auth
https://github.com/AndreyRainchik/CVE-2020-8816

This repository contains a functional Python exploit for CVE-2020-8816, a remote code execution vulnerability in Pi-hole's admin web interface. The exploit leverages command injection via the DHCP settings page, requiring authentication and a specific PATH configuration for successful RCE.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Pi-hole (Web Interface Version < 4.3.3)
Auth required
Prerequisites: Valid admin credentials · Pi-hole web interface version < 4.3.3 · Specific PATH configuration for www-data user
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 6 stars
by team0se7en · remote-auth
https://github.com/team0se7en/CVE-2020-8816

This repository contains a functional Go-based exploit for CVE-2020-8816, a Remote Code Execution (RCE) vulnerability in Pi-hole versions <= 4.3.2. The exploit authenticates to the admin panel, extracts a CSRF token, and injects a reverse shell payload via command injection in the DHCP settings.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Pi-hole <= 4.3.2
Auth required
Prerequisites: Valid admin credentials · Network access to the Pi-hole admin panel
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS 1 stars
by martinsohn · poc
https://github.com/martinsohn/CVE-2020-8816

The repository claims to provide a PoC for CVE-2020-8816 but only includes a README with defensive notes and references an external PDF for the actual exploit. No functional exploit code is present.

Classification
Suspicious 90%
Attack Type
Rce
Complexity
Theoretical
Reliability
Theoretical
Target: Pi-hole 4.3.2
No auth needed
Prerequisites: Exposed Pi-hole management interface · Specific $PWD environment variable for www-data
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC GOOD
by h00die, François Renaud-Philippon <[email protected]> · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/pihole_dhcp_mac_exec.rb

This Metasploit module exploits a command execution vulnerability in Pi-Hole <= 4.3.2 by adding a DHCP static lease with a crafted MAC address containing an RCE payload. The exploit leverages the $PATH environment variable to bypass input capitalization constraints.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Pi-Hole <= 4.3.2
Auth required
Prerequisites: Valid credentials for Pi-Hole admin interface · /opt/pihole must be first in $PATH
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/pi-hole/AdminLTE/commits/master
Broken Link, Exploit, Third Party Advisory x_refsource_misc
https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/
Broken Link, Press/Media Coverage x_refsource_misc
https://twitter.com/Nate_Kappa/status/1243900213665902592?s=20
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/pi-hole/AdminLTE/releases/tag/v4.3.3
Patch, Third Party Advisory x_refsource_misc
https://github.com/pi-hole/AdminLTE/pull/1165

Scores

CVSS v3 7.2
EPSS 0.7785
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-12-10
VulnCheck KEV 2020-12-14
InTheWild.io 2021-12-10
ENISA EUVD EUVD-2020-29664
CWE
CWE-78
Status published
Products (1)
pi-hole/pi-hole < 4.3.2
Published May 29, 2020
KEV Added Dec 10, 2021
Tracked Since Feb 18, 2026