CVE-2020-5847
published 2020-03-16CVE-2020-5847: Unraid through 6.8.0 allows Remote Code Execution.
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
95.84%
99.9th percentile
Unraid through 6.8.0 allows Remote Code Execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| unraid | unraid | <= 6.8.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/webGui/images/green-on.png/?path=x&site[x][text]=%3C?php%20echo%20md5(%22CVE-2020-5847%22);%20?%3E↗
- →Detect exploitation attempts by monitoring HTTP GET requests to the path '/webGui/images/green-on.png/' with query parameters 'path' and 'site[x][text]' containing PHP code (e.g., '<?php'). ↗
- →A successful probe response will contain the MD5 string 'b13928fbcfff659363d7c7d1ec008d56' (md5 of 'CVE-2020-5847') with HTTP 200 status, indicating the PHP extract() injection executed. ↗
- →The exploit chains CVE-2020-5849 (auth bypass) with CVE-2020-5847 (insecure PHP extract() RCE). Monitor for unauthenticated access to the Unraid admin interface followed by requests to the vulnerable image path. ↗
- →Version fingerprinting: the exploit checks for Unraid version 6.8.0 in the HTTP response body via the regex pattern matching 'Version:' in the response to GET /webGui/images/green-on.png/. ↗
- ·The vulnerability is only confirmed on Unraid 6.8.0 and below. The Metasploit module explicitly checks for version 6.8.0 before proceeding. ↗
- ·Full unauthenticated RCE requires chaining with CVE-2020-5849 (auth bypass). CVE-2020-5847 alone covers the insecure PHP extract() code execution primitive. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Unraid Authentication Bypass Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2020-5849 [CRITICAL] CWE-287 Unraid Authentication Bypass Vulnerability
Vulnerability: Unraid Authentication Bypass Vulnerability
Affected: Unraid Unraid
Unraid contains an authentication bypass vulnerability that allows attackers to gain access to the administrative interface. This CVE is chainable with CVE-2020-5847 for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-5849
Remediation Due Date: 2022-05-03
CISA
Unraid Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2020-5847 [CRITICAL] Unraid Remote Code Execution Vulnerability
Vulnerability: Unraid Remote Code Execution Vulnerability
Affected: Unraid Unraid
Unraid contains a vulnerability due to the insecure use of the extract PHP function that can be abused to execute remote code as root. This CVE is chainable with CVE-2020-5849 for initial access.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-5847
Remediation Due Date: 2022-05-03
GHSA
GHSA-4m4g-xmmp-5cj6: Unraid through 6
ghsa_unreviewed·2022-05-24
CVE-2020-5847 [HIGH] CWE-287 GHSA-4m4g-xmmp-5cj6: Unraid through 6
Unraid through 6.8.0 allows Remote Code Execution.
VulnCheck
Unraid Authentication Bypass Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-5849 [CRITICAL] CWE-287 Unraid Authentication Bypass Vulnerability
Unraid Authentication Bypass Vulnerability
Unraid contains an authentication bypass vulnerability that allows attackers to gain access to the administrative interface. This CVE is chainable with CVE-2020-5847 for remote code execution.
Affected: Unraid Unraid
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2020-5849&date=2025-10-17; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2020-5849&date=2025-10-18; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2020-5849&date=2025-10-19; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2020-5849&date=2025-10-20; https://api.vu
VulnCheck
Unraid Remote Code Execution Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-5847 [CRITICAL] Unraid Remote Code Execution Vulnerability
Unraid Remote Code Execution Vulnerability
Unraid contains a vulnerability due to the insecure use of the extract PHP function that can be abused to execute remote code as root. This CVE is chainable with CVE-2020-5849 for initial access.
Affected: Unraid Unraid
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-01&host_type=src&vulnerability=cve-2020-5847; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2020-5847; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-23&host_type=src&
No detection rules found.
Exploit-DB
Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)
exploitdb·2020-04-20
CVE-2020-5849 Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)
Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Unraid 6.8.0 Auth Bypass PHP Code Execution',
'Description' => %q{
This module exploits two vulnerabilities affecting Unraid 6.8.0.
An authentication bypass is used to gain access to the administrative
interface, and an insecure use of the extract PHP function can be abused
for arbitrary code execution as root.
},
'Author' =>
[
'Nicolas CHATELAIN '
],
'References' =>
[
[ 'CVE', '2020-5847' ],
[ 'CVE', '2020-5849' ],
[ 'URL', 'https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/' ],
[ 'URL',
Metasploit
Unraid 6.8.0 Auth Bypass PHP Code Execution
metasploit
Unraid 6.8.0 Auth Bypass PHP Code Execution
Unraid 6.8.0 Auth Bypass PHP Code Execution
This module exploits two vulnerabilities affecting Unraid 6.8.0. An authentication bypass is used to gain access to the administrative interface, and an insecure use of the extract PHP function can be abused for arbitrary code execution as root.
Nuclei
UnRaid <=6.80 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2020-5847 [CRITICAL] UnRaid <=6.80 - Remote Code Execution
UnRaid <=6.80 - Remote Code Execution
UnRaid <=6.80 allows remote unauthenticated attackers to execute arbitrary code.
Template:
id: CVE-2020-5847
info:
name: UnRaid <=6.80 - Remote Code Execution
author: madrobot
severity: critical
description: UnRaid <=6.80 allows remote unauthenticated attackers to execute arbitrary code.
impact: |
Unauthenticated attackers can execute arbitrary code on UnRaid servers, leading to complete system compromise and access to all stored data.
remediation: |
Upgrade UnRaid to a version higher than 6.80 to mitigate the vulnerability.
reference:
- https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5847
- https://sysdream.com
http://packetstormsecurity.com/files/157275/Unraid-6.8.0-Authentication-Bypass-Arbitrary-Code-Execution.htmlhttps://forums.unraid.net/forum/7-announcements/https://sysdream.com/news/lab/https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/http://packetstormsecurity.com/files/157275/Unraid-6.8.0-Authentication-Bypass-Arbitrary-Code-Execution.htmlhttps://forums.unraid.net/forum/7-announcements/https://sysdream.com/news/lab/https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5847
2020-03-16
Published
2021-11-03
Added to CISA KEV
Exploited in the wild