Cyber Resilience

CVE-2020-8816

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 29 May 2020

Published
29 May 2020
Modified
10 November 2025
KEV Added
10 December 2021
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9077 99.6th percentile
Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-8816 is a high-severity OS Command Injection (CWE-78) vulnerability in Pi-Hole Pi-Hole. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

Pi-hole Web version 4.3.2, also known as AdminLTE, contains an OS command injection vulnerability tracked as CVE-2020-8816 and CWE-78. The flaw resides in the handling of DHCP static lease entries on the administrative dashboard and permits remote code execution when an attacker supplies a specially crafted MAC address or hostname value.

An authenticated user with dashboard privileges can exploit the issue over the network by submitting a malicious static lease through the web interface. Successful exploitation grants the attacker the ability to execute arbitrary operating-system commands, resulting in complete control over the confidentiality, integrity, and availability of the affected Pi-hole instance.

The project addressed the vulnerability in release 4.3.3; the corresponding fix is documented in pull request 1165 and the associated commit history on the AdminLTE repository. Public exploit code demonstrating both the DHCP lease injection and full remote code execution has been published on Packet Storm.

EU & UK References

Vulnerability details

Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.

CWE(s)
KEV Date Added
10 December 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pi-hole
pi-hole
≤ 4.3.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted inputs (MAC/hostname) before they are used in OS commands for DHCP lease processing.

prevent

Restricts dashboard users to the minimum privileges needed, reducing the population that can reach the vulnerable lease-submission function.

prevent

Enforces access restrictions on configuration changes, limiting which authenticated accounts may submit DHCP static lease entries.

References