Get in Touch
Indiscriminate, opportunistic targeting.
Severity Level: Critical – Common Vulnerability Scoring System (CVSS) base score of 9.8 – exploitation can result in unauthenticated remote command injection, allowing an actor to change partial contents or configuration on the system.
The vulnerability has been given the following common vulnerability and exposure (CVE): CVE-2022-46169
A command injection vulnerability exists within the remote_agent.php file. It is possible for this file to be accessed without the need for authentication.
Successful exploitation of this vulnerability would allow an attacker to run arbitrary commands under the same user privilege that the web process was running with. Following a successful exploitation, threat actors have been observed installing botnets, including the Mirai botnet.
Cacti developers have released information stating that the affected version is seen as v1.2.22. Where this version is deployed, patches should be applied.
Containment, Mitigations & Remediations
The current recommendations are to patch Cacti instances to the following versions:
The developers of Cacti have released advice on how to prevent the disclosed command injection and authorisation bypass on the Cacti GitHub.
Authorisation bypass can be mitigated by not allowing an attacker to make “get_client_addr” return an arbitrary IP address. This is achieved by not honouring the “HTTP_…” & “$SERVER” variables.
Indicators of Compromise
At the current time, there are no known IOCs available.
Cacti is an open-source, web-based network monitoring tool utilised widely by IT professionals. As such, opportunistic targeting with this tool could lead to lateral movement within organisations.
At the time of writing this report, no threat groups have been identified actively using this vulnerability.