CVE-2023-39362
📋 TL;DR
This vulnerability allows authenticated privileged users in Cacti 1.2.24 to perform command injection through SNMP device configuration, leading to remote code execution on the underlying server. The issue occurs in lib/snmp.php where user input is passed to exec() without proper validation. Only organizations running vulnerable Cacti versions with privileged authenticated users are affected.
💻 Affected Systems
- Cacti
📦 What is this software?
Cacti by Cacti
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise with attacker gaining root/system-level access, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Privileged authenticated user exploits the vulnerability to execute arbitrary commands, potentially compromising the Cacti server and accessing sensitive monitoring data.
If Mitigated
With proper access controls and network segmentation, impact is limited to the Cacti application server only.
🎯 Exploit Status
Exploit requires authenticated privileged user access; public exploit code exists in Packet Storm
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.25
Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp
Restart Required: No
Instructions:
1. Backup Cacti configuration and database. 2. Download Cacti 1.2.25 from official repository. 3. Replace existing installation files with new version. 4. Run database upgrade if prompted.
🔧 Temporary Workarounds
No known workarounds
allVendor states there are no known workarounds for this vulnerability
🧯 If You Can't Patch
- Restrict access to Cacti administration interface to only trusted users and networks
- Implement strict privilege separation and limit privileged user accounts to absolute minimum
🔍 How to Verify
Check if Vulnerable:
Check Cacti version in web interface or examine include/global.php for version numberCheck Version:
grep '\$config\["cacti_version"\]' include/global.phpVerify Fix Applied:
Verify version is 1.2.25 or later and test SNMP device configuration functionality📡 Detection & Monitoring
Log Indicators:
- Unusual exec() calls from Cacti processes
- Suspicious commands in Cacti logs related to SNMP configuration
- Multiple failed authentication attempts followed by successful privileged login
Network Indicators:
- Unexpected outbound connections from Cacti server
- Unusual SNMP traffic patterns
SIEM Query:
source="cacti.log" AND ("exec" OR "system" OR "shell_exec") AND NOT expected_command🔗 References
- http://packetstormsecurity.com/files/175029/Cacti-1.2.24-Command-Injection.html
- https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp
- https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/
- https://www.debian.org/security/2023/dsa-5550
- http://packetstormsecurity.com/files/175029/Cacti-1.2.24-Command-Injection.html
- https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp
- https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/
- https://www.debian.org/security/2023/dsa-5550
- https://www.vicarius.io/vsociety/posts/command-injection-in-cacti-cve-2023-39362
