Critical SQL Injection Vulnerability Detected in Cacti Monitoring Tool

January 8, 2024

A critical vulnerability, designated as CVE-2023-51448, has been identified in the Cacti network performance monitoring tool. Cacti is a widely used open-source framework that collects network performance data from devices such as routers, switches, and servers. The collected data is then used to generate graphical and visual metrics, providing a comprehensive view of an organization's IT infrastructure. The identified vulnerability can be exploited by attackers to gain access to the entire database of Cacti, thereby posing a significant risk to organizations.

The vulnerability stems from the application's failure to properly sanitize input data, making it susceptible to a blind SQL injection attack. This type of attack does not provide direct results to the attacker; instead, the attacker must infer the results based on the application's response. The severity of this vulnerability has been rated as 8.8 out of a maximum possible 10 on the CVSS 3.1 scale by GitHub. The vulnerability requires an attacker to only have low privileges to exploit.

The Cacti version 1.2.25 is affected by this vulnerability. To rectify this, Cacti has released an updated version of the software that addresses the bug. However, Matthew Hogg, a security researcher from Synopsys who discovered the vulnerability, warns that exploiting the flaw is straightforward for an attacker with an authenticated account and the 'Settings/Utilities' privilege. He states, 'Finding systems running Cacti is trivial, as a malicious actor can use a service like Shodan to query for live systems.'

Moreover, Hogg points out that an attacker could chain CVE-2023-51448 with another previously disclosed Cacti vulnerability, CVE-2023-49084, to achieve remote code execution (RCE) on vulnerable systems. He further explains that to trigger CVE-2023-51448, an authenticated attacker with Settings/Utilities privileges would need to send a specially crafted HTTP GET request with an SQL injection payload to the endpoint '/managers.php'.

In addition to these vulnerabilities, there have been several other vulnerabilities reported in Cacti over the past year. These include CVE-2022-46169, an unauthenticated command injection vulnerability disclosed last January, and CVE-2023-39362, a vulnerability disclosed in June. Exploits for both vulnerabilities have become publicly available.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.