Login Sign Up

CVE-2023-39359

8.8 HIGH
Remote Code Execution SQL Injection

📋 TL;DR

An authenticated SQL injection vulnerability in Cacti allows authenticated users to escalate privileges and execute arbitrary code remotely. The vulnerability affects Cacti versions before 1.2.25 through improper handling of the site_id parameter in graphs.php. Organizations running vulnerable Cacti instances are at risk.

💻 Affected Systems

Products:
  • Cacti
Versions: All versions before 1.2.25
Operating Systems: All platforms running Cacti
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to Cacti web interface; default installations are vulnerable.

📦 What is this software?

Cacti by Cacti

View all CVEs affecting Cacti →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full system control through remote code execution, potentially compromising the entire monitoring infrastructure and adjacent systems.

🟠

Likely Case

Authenticated attackers escalate privileges to administrative access, manipulate monitoring data, and execute arbitrary SQL commands.

🟢

If Mitigated

With proper network segmentation and least privilege authentication, impact is limited to the Cacti application and database.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but SQL injection to RCE chain is straightforward for skilled attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.25

Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-q4wh-3f9w-836h

Restart Required: Yes

Instructions:

1. Backup Cacti database and configuration files. 2. Download Cacti 1.2.25 from official repository. 3. Replace existing installation with new version. 4. Run database upgrade script if prompted. 5. Restart web server and Cacti poller services.

🔧 Temporary Workarounds

No known workarounds

all

The vendor advisory states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

  • Restrict network access to Cacti web interface using firewall rules to only trusted IP addresses
  • Implement strict authentication controls and monitor for suspicious authenticated user activity

🔍 How to Verify

Check if Vulnerable:

Check Cacti version via web interface or examine include/global.php for version number

Check Version:

grep '\$config\["cacti_version"\]' /path/to/cacti/include/global.php

Verify Fix Applied:

Confirm version is 1.2.25 or later and verify graphs.php has been updated

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed authentication attempts followed by successful login
  • Suspicious parameter values in web server access logs for graphs.php

Network Indicators:

  • Unusual outbound connections from Cacti server
  • SQL injection patterns in HTTP requests to graphs.php

SIEM Query:

source="web_server_logs" AND uri="*graphs.php*" AND (param="*site_id*" OR query="*SELECT*" OR query="*UNION*")

📊 Metadata

CVE ID: CVE-2023-39359
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: September 5, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39359, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)