cbcvebase.
CVE-2020-5847
published 2020-03-16

CVE-2020-5847: Unraid through 6.8.0 allows Remote Code Execution.

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
95.84%
99.9th percentile
Unraid through 6.8.0 allows Remote Code Execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
unraidunraid<= 6.8.0

Detection & IOCsextracted from sources · hover to see the quote

url/webGui/images/green-on.png/
url/webGui/images/green-on.png/?path=x&site[x][text]=%3C?php%20echo%20md5(%22CVE-2020-5847%22);%20?%3E
commandGET /webGui/images/green-on.png/?path=x&site[x][text]=<php_payload> HTTP/1.1
  • Detect exploitation attempts by monitoring HTTP GET requests to the path '/webGui/images/green-on.png/' with query parameters 'path' and 'site[x][text]' containing PHP code (e.g., '<?php').
  • A successful probe response will contain the MD5 string 'b13928fbcfff659363d7c7d1ec008d56' (md5 of 'CVE-2020-5847') with HTTP 200 status, indicating the PHP extract() injection executed.
  • The exploit chains CVE-2020-5849 (auth bypass) with CVE-2020-5847 (insecure PHP extract() RCE). Monitor for unauthenticated access to the Unraid admin interface followed by requests to the vulnerable image path.
  • Version fingerprinting: the exploit checks for Unraid version 6.8.0 in the HTTP response body via the regex pattern matching 'Version:' in the response to GET /webGui/images/green-on.png/.
  • ·The vulnerability is only confirmed on Unraid 6.8.0 and below. The Metasploit module explicitly checks for version 6.8.0 before proceeding.
  • ·Full unauthenticated RCE requires chaining with CVE-2020-5849 (auth bypass). CVE-2020-5847 alone covers the insecure PHP extract() code execution primitive.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.