SQLi vulnerability in Cacti network monitoring exposes to remote code execution
Take action: This issue is not critical because it requires an authenticated user to perform the exploit. But your network management team should still plan to patch your Cacti instance, because an attacker will find a way to an authenticated session - usually via password leaks or phishing.
Learn More
A blind SQL injection vulnerability, trakced as CVE-2023-51448 (CVSS score 8.8), has been discovered in Cacti, a popular network monitoring and fault management framework. Cacti, used extensively in network operation centers by telecom and web hosting providers, collects and stores network performance data in RRDtool.
This vulnerability was found in Cacti's SNMP Notification Receivers feature and could lead to the disclosure of all database contents or, under certain database configurations, enable remote code execution (RCE). The vulnerability stems from insufficient sanitization of the 'selected_graphs_array' HTTP GET parameter in the ‘managers.php’ endpoint. An authenticated attacker with 'Settings/Utilities' access could exploit this flaw by sending a specially crafted HTTP GET request, leading to SQL injection. This attack commences with the sending of a serialized array containing the SQLi payload, which is then deserialized, concatenated into a raw SQL query, and executed, potentially exposing sensitive information or allowing arbitrary file operations.
This vulnerability has been patched in Cacti version 1.2.26, released in late December 2023. Although there is no current evidence of CVE-2023-51448 being exploited in the wild, users are strongly advised to upgrade to the patched version to secure their systems against potential exploits.
