Back to KEVs

CVE-2020-8816

Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.

Basic Information

CVE State
PUBLISHED
Reserved Date
February 10, 2020
Published Date
May 29, 2020
Last Updated
July 30, 2025
Vendor
n/a
Product
n/a
Description
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.
Tags
cisa metasploit_scanner

CVSS Scores

CVSS v3.0

9.1 - CRITICAL

Vector: CVSS:3.0/AC:L/AV:N/A:H/C:H/I:H/PR:H/S:C/UI:N

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2021-12-10 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2020-06-15 18:24:19 UTC) Source

References

https://github.com/pi-hole/AdminLTE/commits/master http://packetstormsecurity.com/files/157861/Pi-Hole-4.3.2-DHCP-MAC-OS-Command-Execution.html https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/ https://twitter.com/Nate_Kappa/status/1243900213665902592?s=20 https://github.com/pi-hole/AdminLTE/releases/tag/v4.3.3 https://github.com/pi-hole/AdminLTE/pull/1165 http://packetstormsecurity.com/files/158737/Pi-hole-4.3.2-Remote-Code-Execution.html

Known Exploited Vulnerability Information

Source Added Date
CISA 2021-12-10 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/pihole_dhcp_mac_exec.rb 2025-04-29 11:01:27 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

pihole_dhcp_mac_exec

Type: metasploit • Created: Unknown

Metasploit module for CVE-2020-8816

team0se7en/CVE-2020-8816

Type: github • Created: 2020-08-06 14:04:54 UTC • Stars: 6

Pi-hole ( <= 4.3.2) authenticated remote code execution.

cybervaca/CVE-2020-8816

Type: github • Created: 2020-08-04 10:23:28 UTC • Stars: 12

Pi-hole Remote Code Execution authenticated Version >= 4.3.2

martinsohn/CVE-2020-8816

Type: github • Created: 2020-06-15 18:24:19 UTC • Stars: 1

A PoC for CVE-2020-8816 that does not use $PATH but $PWD and globbing

AndreyRainchik/CVE-2020-8816

Type: github • Created: 2020-05-10 01:12:28 UTC • Stars: 10

A Python script to exploit CVE-2020-8816, a remote code execution vulnerability on the Pi-hole

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Proof of Concept Exploit Available

  • Added to KEVIntel

  • Detected by Metasploit