CVE-2023-39361
📋 TL;DR
CVE-2023-39361 is a critical SQL injection vulnerability in Cacti's graph_view.php that allows unauthenticated attackers to execute arbitrary SQL commands. Since guest users can access this endpoint without authentication by default, attackers could potentially gain administrative privileges or execute remote code. All Cacti installations below version 1.2.25 are affected.
💻 Affected Systems
- Cacti
📦 What is this software?
Cacti by Cacti
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through remote code execution leading to data theft, system takeover, and lateral movement within the network.
Likely Case
Database compromise, privilege escalation to administrative access, and potential data exfiltration from Cacti systems.
If Mitigated
Limited impact if guest access is disabled or proper network segmentation isolates Cacti instances.
🎯 Exploit Status
SQL injection in graph_view.php is straightforward to exploit, and proof-of-concept code is publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.25
Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-6r43-q2fw-5wrg
Restart Required: No
Instructions:
1. Backup your Cacti database and configuration. 2. Download Cacti 1.2.25 from the official repository. 3. Follow the upgrade instructions at https://docs.cacti.net/Upgrading. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Disable Guest Access
allDisable guest user access in Cacti configuration to prevent unauthenticated exploitation
Edit /etc/cacti/config.php or your Cacti configuration file and set $config['guest_user'] = false;
Restrict Access via Web Server
linuxBlock access to graph_view.php for unauthenticated users at the web server level
For Apache: Add 'Deny from all' to .htaccess for graph_view.php
For Nginx: Add location block denying access to graph_view.php
🧯 If You Can't Patch
- Immediately disable guest user access in Cacti configuration
- Implement strict network segmentation to isolate Cacti instances from critical systems
🔍 How to Verify
Check if Vulnerable:
Check Cacti version via web interface or by examining the Cacti installation directory for version filesCheck Version:
grep '\$version' /path/to/cacti/include/global.php | head -1Verify Fix Applied:
Verify Cacti version is 1.2.25 or higher and test that guest users cannot access graph_view.php📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in Cacti logs
- Multiple failed authentication attempts followed by graph_view.php access
- Unexpected database errors in application logs
Network Indicators:
- Unusual outbound connections from Cacti server
- SQL injection patterns in HTTP requests to graph_view.php
SIEM Query:
source="cacti.log" AND ("graph_view.php" AND (SELECT OR UNION OR DROP OR INSERT))🔗 References
- https://github.com/Cacti/cacti/security/advisories/GHSA-6r43-q2fw-5wrg
- https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/
- https://www.debian.org/security/2023/dsa-5550
- https://github.com/Cacti/cacti/security/advisories/GHSA-6r43-q2fw-5wrg
- https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/
- https://www.debian.org/security/2023/dsa-5550
