What is Unraid?
Unraid is a proprietary Linux-based operating system for network-attached storage (NAS), home servers, and media servers, developed by Lime Technology. It is widely used by home users, small businesses, and enthusiasts for storing large media libraries, running virtual machines, and hosting Docker containers. Unraid servers typically store terabytes of personal and business data — backups, media libraries, documents, and more. The web-based management UI (accessible on port 80/443) is often the only interface used to manage the device, and in many deployments it is accessible from within the home or business network without VPN.
Overview
CVE-2020-5847 is a remote code execution vulnerability (no CWE assigned) in Unraid's PHP-based web management interface, arising from the insecure use of PHP's extract() function on user-supplied HTTP input. It is chained with CVE-2020-5849 (authentication bypass via UPnP-based token prediction) to form a complete unauthenticated RCE exploit: CVE-2020-5849 provides access to the management UI without credentials, and CVE-2020-5847 executes OS commands as root once inside. Both were fixed in Unraid 6.8.1.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Unraid | < 6.8.1 | 6.8.1+ |
Technical Details
CVE-2020-5847 — PHP extract() code execution:
PHP's extract() function imports key-value pairs from an array directly into the current symbol table as variables. When called on unsanitized user-supplied input (e.g., extract($_POST) or extract($_GET)), it allows an attacker to overwrite any existing PHP variable in scope — including internal application state variables, file paths, and configuration settings.
In Unraid's web UI code, extract() is used on HTTP request parameters. An attacker can:
- Overwrite a file path variable used in a subsequent
include()orrequire()call → local/remote file inclusion - Overwrite configuration variables that control what commands are executed → command injection
- Inject values that cause the application to execute attacker-controlled PHP code → RCE as root
CVE-2020-5849 — Authentication bypass:
Unraid's authentication uses a session token that is predictable or can be obtained via UPnP. An attacker on the local network (or a user tricked into visiting a malicious web page via CSRF) can obtain a valid session without knowing the admin password — bypassing authentication entirely. Combined with CVE-2020-5847, this creates a full pre-auth RCE chain for any attacker with local network access.
Discovery
Tom Veras of Trustwave SpiderLabs discovered both vulnerabilities in February 2020 and reported them to Lime Technology (Unraid's developer) via coordinated disclosure. Unraid released version 6.8.1 with fixes on March 16, 2020.
Exploitation Context
CISA added CVE-2020-5847 to the KEV catalog on November 3, 2021. Unraid servers are attractive targets because they store large volumes of personal and business data and often lack enterprise-grade security monitoring. An attacker who achieves root RCE on an Unraid server can:
- Exfiltrate the entire storage array (backups, documents, media)
- Deploy ransomware to encrypt all stored data
- Use the Unraid server's Docker/VM capabilities to pivot into other internal network resources
- Establish persistent backdoor access
The home-lab and SMB target profile means many installations run outdated Unraid versions, and the CSRF/UPnP attack vector for CVE-2020-5849 means exploitation can be triggered from a malicious website — not just the local network.
Remediation
- Upgrade to Unraid 6.8.1 or later: Apply the update through the Unraid Tools → Update OS menu in the web UI.
- Do not expose the Unraid management UI to the internet: Unraid's web interface should only be accessible from the local network. Use a VPN (WireGuard is built into Unraid) for remote access rather than port-forwarding the management port.
- Disable UPnP on the router: CVE-2020-5849's CSRF/UPnP vector can be mitigated by disabling UPnP on the network router if not required.
- Enable HTTPS: Use Unraid's built-in HTTPS support to prevent credential interception and make cookie stealing harder.
- Review for compromise: If running a vulnerable version, check for unexpected cron jobs, new SSH keys, unusual running processes (cryptominers, reverse shells), and unexpected Docker containers or VMs.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2020-5847 |
| Vendor / Product | Unraid — Unraid |
| NVD Published | 2020-03-16 |
| NVD Last Modified | 2026-03-17 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2022-05-03 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2020-02-06 | Tom Veras (Trustwave SpiderLabs) reports CVE-2020-5847 and CVE-2020-5849 to Unraid |
| 2020-03-16 | Unraid releases 6.8.1 fix; CVE-2020-5847 and CVE-2020-5849 published |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-05-03 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Unraid 6.8.1 Security Fix Release Notes | Vendor Advisory |
| NVD — CVE-2020-5847 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Trustwave SpiderLabs — Unraid 6.8.0 Unauthenticated RCE | Security Research |