CVE-2023-49084
📋 TL;DR
This CVE-2023-49084 vulnerability in Cacti allows authenticated users to perform SQL injection and arbitrary code execution on the server through the link.php component. Attackers can exploit insufficient file path processing to execute malicious code with server privileges. All Cacti installations with vulnerable versions are affected.
💻 Affected Systems
- Cacti
📦 What is this software?
Cacti by Cacti
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary commands, steal data, install backdoors, pivot to other systems, and maintain persistent access.
Likely Case
Attackers gain shell access to the server, potentially compromising the Cacti database, modifying monitoring data, and using the server as a foothold for lateral movement.
If Mitigated
Limited impact due to network segmentation, minimal privileges, and monitoring that detects exploitation attempts before full compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward with published proof-of-concept code. The vulnerability combines SQL injection with file inclusion for code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.26 and later
Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp
Restart Required: No
Instructions:
1. Backup your Cacti database and configuration. 2. Download Cacti 1.2.26 or later from the official repository. 3. Follow the upgrade instructions at https://docs.cacti.net/Upgrading. 4. Verify the installation works correctly.
🔧 Temporary Workarounds
Restrict access to link.php
linuxTemporarily block or restrict access to the vulnerable link.php file using web server configuration or firewall rules.
# Apache: Add to .htaccess or virtual host config
<Files "link.php">
Order deny,allow
Deny from all
</Files>
# Nginx: Add to server block
location ~ /link\.php$ {
deny all;
return 403;
}
Remove vulnerable file
linuxTemporarily rename or remove the link.php file to prevent exploitation while maintaining other Cacti functionality.
mv /path/to/cacti/link.php /path/to/cacti/link.php.disabled
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Cacti servers from critical systems.
- Enforce strong authentication controls and monitor for suspicious account activity.
🔍 How to Verify
Check if Vulnerable:
Check Cacti version by viewing the About page in the web interface or examining the version.php file.Check Version:
grep '\$version' /path/to/cacti/include/global.php | head -1Verify Fix Applied:
Verify the installed version is 1.2.26 or later and test that link.php functionality works without errors.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in Cacti logs
- Unexpected file inclusion attempts in web server logs
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- Unusual outbound connections from Cacti server
- Traffic patterns suggesting command and control communication
SIEM Query:
source="cacti.log" AND ("link.php" OR "SQL error" OR "file inclusion")🔗 References
- http://packetstormsecurity.com/files/176995/Cacti-pollers.php-SQL-Injection-Remote-Code-Execution.html
- https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp
- https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
- http://packetstormsecurity.com/files/176995/Cacti-pollers.php-SQL-Injection-Remote-Code-Execution.html
- https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp
- https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
