CVE-2020-5847 — Unraid Remote Code Execution Vulnerability

CVE-2020-5847

Unraid — PHP extract() Abuse Enabling Root RCE, Chained with CVE-2020-5849 Auth Bypass

What is Unraid?

Unraid is a proprietary Linux-based operating system for network-attached storage (NAS), home servers, and media servers, developed by Lime Technology. It is widely used by home users, small businesses, and enthusiasts for storing large media libraries, running virtual machines, and hosting Docker containers. Unraid servers typically store terabytes of personal and business data — backups, media libraries, documents, and more. The web-based management UI (accessible on port 80/443) is often the only interface used to manage the device, and in many deployments it is accessible from within the home or business network without VPN.

Overview

CVE-2020-5847 is a remote code execution vulnerability (no CWE assigned) in Unraid's PHP-based web management interface, arising from the insecure use of PHP's extract() function on user-supplied HTTP input. It is chained with CVE-2020-5849 (authentication bypass via UPnP-based token prediction) to form a complete unauthenticated RCE exploit: CVE-2020-5849 provides access to the management UI without credentials, and CVE-2020-5847 executes OS commands as root once inside. Both were fixed in Unraid 6.8.1.

Affected Versions

Product Vulnerable Fixed
Unraid < 6.8.1 6.8.1+

Technical Details

CVE-2020-5847 — PHP extract() code execution:

PHP's extract() function imports key-value pairs from an array directly into the current symbol table as variables. When called on unsanitized user-supplied input (e.g., extract($_POST) or extract($_GET)), it allows an attacker to overwrite any existing PHP variable in scope — including internal application state variables, file paths, and configuration settings.

In Unraid's web UI code, extract() is used on HTTP request parameters. An attacker can:

  1. Overwrite a file path variable used in a subsequent include() or require() call → local/remote file inclusion
  2. Overwrite configuration variables that control what commands are executed → command injection
  3. Inject values that cause the application to execute attacker-controlled PHP code → RCE as root

CVE-2020-5849 — Authentication bypass:

Unraid's authentication uses a session token that is predictable or can be obtained via UPnP. An attacker on the local network (or a user tricked into visiting a malicious web page via CSRF) can obtain a valid session without knowing the admin password — bypassing authentication entirely. Combined with CVE-2020-5847, this creates a full pre-auth RCE chain for any attacker with local network access.

Discovery

Tom Veras of Trustwave SpiderLabs discovered both vulnerabilities in February 2020 and reported them to Lime Technology (Unraid's developer) via coordinated disclosure. Unraid released version 6.8.1 with fixes on March 16, 2020.

Exploitation Context

CISA added CVE-2020-5847 to the KEV catalog on November 3, 2021. Unraid servers are attractive targets because they store large volumes of personal and business data and often lack enterprise-grade security monitoring. An attacker who achieves root RCE on an Unraid server can:

  • Exfiltrate the entire storage array (backups, documents, media)
  • Deploy ransomware to encrypt all stored data
  • Use the Unraid server's Docker/VM capabilities to pivot into other internal network resources
  • Establish persistent backdoor access

The home-lab and SMB target profile means many installations run outdated Unraid versions, and the CSRF/UPnP attack vector for CVE-2020-5849 means exploitation can be triggered from a malicious website — not just the local network.

Remediation

  1. Upgrade to Unraid 6.8.1 or later: Apply the update through the Unraid Tools → Update OS menu in the web UI.
  2. Do not expose the Unraid management UI to the internet: Unraid's web interface should only be accessible from the local network. Use a VPN (WireGuard is built into Unraid) for remote access rather than port-forwarding the management port.
  3. Disable UPnP on the router: CVE-2020-5849's CSRF/UPnP vector can be mitigated by disabling UPnP on the network router if not required.
  4. Enable HTTPS: Use Unraid's built-in HTTPS support to prevent credential interception and make cookie stealing harder.
  5. Review for compromise: If running a vulnerable version, check for unexpected cron jobs, new SSH keys, unusual running processes (cryptominers, reverse shells), and unexpected Docker containers or VMs.

Key Details

PropertyValue
CVE ID CVE-2020-5847
Vendor / Product Unraid — Unraid
NVD Published2020-03-16
NVD Last Modified2026-03-17
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CISA KEV Added2021-11-03
CISA KEV Deadline2022-05-03
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-05-03. Apply updates per vendor instructions.

Timeline

DateEvent
2020-02-06Tom Veras (Trustwave SpiderLabs) reports CVE-2020-5847 and CVE-2020-5849 to Unraid
2020-03-16Unraid releases 6.8.1 fix; CVE-2020-5847 and CVE-2020-5849 published
2021-11-03Added to CISA Known Exploited Vulnerabilities catalog
2022-05-03CISA BOD 22-01 remediation deadline