Cacti is an open-source platform that provides a robust and extensible operational monitoring and fault management framework for users.
Researchers from Censys discovered that the majority of internet-exposed Cacti servers are vulnerable to the critical flaw CVE-2022-46169 which is under active exploitation in the wild.
The flaw is a command injection vulnerability that can be exploited by an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The flaw resides in the `remote_agent.php` file that can be accessed by any unauthenticated user. The vulnerability affects versions 1.2.22 and below.
“A command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device.” reads the advisory.
The researcher noticed that most of the Cacti servers are running outdated versions, with only 26 servers are running a patched version of Cacti (1.2.23 and 1.3.0).
Most hosts running Cacti are in Brazil (20.54%), followed by Indonesia (12.37%) and the United States (3.95%).
| Country | hosts | |
| Brazil | 1,320 | 20.54% |
| Indonesia | 795 | 12.37% |
| United States | 254 | 3.95% |
| China | 193 | 3.0% |
| Bangladesh | 104 | 1.62% |
| Russia | 99 | 1.54% |
| Ukraine | 93 | 1.45% |
| Philippines | 70 | 1.09% |
| Thailand | 65 | 1.01% |
| United Kingdom | 56 | 0.87% |
The vulnerability was discovered by Sonarsource researchers, who provided details about the issue and published a video PoC demonstrating the exploitation of a server running a vulnerable version of Cacti:
Shadowserver researchers reported that threat actors are actively exploiting the issue since January 3rd, 2023, in some attacks attackers triggered the issue to deploy malware on the vulnerable hosts.
GreyNoise experts also observed attacks in the wild exploiting the flaw.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, CVE-2022-46169)
[adrotate banner=”5″]
[adrotate banner=”13″]
A critical vulnerability in the WordPress Automatic plugin is being exploited to inject backdoors and…
As cryptocurrencies have grown in popularity, there has also been growing concern about cybercrime involvement…
Healthcare service provider Kaiser Permanente disclosed a security breach that may impact 13.4 million individuals…
Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability. Over…
A ransomware attack on a Swedish logistics company Skanlog severely impacted the country's liquor supply. …
CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities…
This website uses cookies.
