CVE-2005-10004
📋 TL;DR
This vulnerability allows authenticated users to execute arbitrary shell commands on Cacti servers through improper input handling in the graph_view.php script. Attackers can compromise system integrity by running commands with web server privileges. Organizations running Cacti versions before 0.8.6-d are affected.
💻 Affected Systems
- Cacti
📦 What is this software?
Cacti by Cacti
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to data theft, lateral movement, ransomware deployment, or persistent backdoor installation.
Likely Case
Unauthorized command execution leading to data exfiltration, service disruption, or installation of cryptocurrency miners.
If Mitigated
Limited impact due to network segmentation, minimal web server privileges, and proper input validation.
🎯 Exploit Status
Metasploit module available; exploitation requires valid user credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.8.6-d and later
Vendor Advisory: https://www.cacti.net/info/downloads
Restart Required: No
Instructions:
1. Backup current Cacti installation and database. 2. Download Cacti 0.8.6-d or later from official site. 3. Replace vulnerable files with patched versions. 4. Verify graph_view.php no longer passes unsanitized input to shell commands.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to sanitize graph_start parameter before processing
Modify graph_view.php to validate graph_start parameter using regex: if (!preg_match('/^[0-9]+$/', $_GET['graph_start'])) { die('Invalid input'); }
Access Restriction
linuxRestrict access to graph_view.php to trusted IP addresses only
Add to .htaccess: Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Cacti server from critical systems
- Run Cacti with minimal privileges using dedicated low-privilege user account
🔍 How to Verify
Check if Vulnerable:
Check Cacti version: grep 'version' include/global.php | grep -o '[0-9]\.[0-9]\.[0-9]-[a-z]'Check Version:
grep "\$version" include/global.php | cut -d"'" -f2Verify Fix Applied:
Verify version is 0.8.6-d or later and test graph_view.php with malicious input to confirm sanitization📡 Detection & Monitoring
Log Indicators:
- Unusual shell commands in web server logs
- Multiple failed authentication attempts followed by graph_view.php access
- Suspicious graph_start parameter values containing shell metacharacters
Network Indicators:
- Outbound connections from web server to unexpected destinations
- Unusual process spawning from web server user
SIEM Query:
source="web_logs" AND uri="/graph_view.php" AND (query="*graph_start=*&*" OR query="*;*" OR query="*|*" OR query="*`*" OR query="*$(*")🔗 References
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/cacti_graphimage_exec.rb
- https://web.archive.org/web/20050305034552/http://www.cacti.net/cactid_download.php
- https://www.cacti.net/info/downloads
- https://www.exploit-db.com/exploits/16881
- https://www.exploit-db.com/exploits/9911
- https://www.vulncheck.com/advisories/cacti-graph-view-rce
