- Censys stated that only 26 of 6,427 observed Cacti hosts are running the patched version of the open-source solution.
- Shadowserver Foundation published a post and stated that an unauthenticated remote command injection vulnerability is being exploited.
- Cacti published an advisory about the vulnerability on December 5 and released the patched versions but the majority is still using older versions.
Attack surface management platform, Censys stated that they observed 6,427 Cacti hosts, an open-source network monitoring solution, hosts and most of them are running unpatched versions. Cacti released an advisory and stated that they have discovered a command injection vulnerability that allows an unauthenticated user to execute arbitrary code on a server running Cacti if a specific data source was selected for any monitored device. The vulnerability, tracked as CVE-2022-46169, is affecting all versions up to and including 1.2.22.
Being exploited
According to the Shadowserver Foundation’s post, the vulnerability is being exploited in the wild, since at least the 7th of January. However, Censys’ research shows that most of the organizations didn’t take the vulnerability seriously. Out of 6,427 hosts, only 26 are running one of the patched versions. 1,320 of these hosts are in Brazil, 795 in Indonesia, 254 in the United States, and 104 in China.
The patch was released with versions 1.2.23 and 1.3.0 to protect the users from the vulnerability with the CVSS score of 9.8. It is caused by how Cacti processes a specific HTTP query for a specific type of polling “action” defined in the database. According to the announcement, one of the query arguments used to execute these PHP scripts is not properly sanitized and is passed along to the execution call, resulting in a command injection. Also, another bug was discovered allowing attackers to bypass the authentication completely. Censys said,
« While not all monitoring software like Cacti has a known vulnerability (currently), this is no excuse to leave them facing publicly on the internet if they don’t have to be, especially since the data held within is highly valuable. Censys always suggests enabling authentication and placing monitoring services behind a VPN or VPC segment, along with proper IP filtering rules to ensure the internet doesn’t have any access to your critical resources.
Attackers can use other services like Cacti to obtain intel about an organization. For example, the system monitoring tool Netdata provides real-time, host-level system metrics about the device it is running on. It also does not come with authentication by default, meaning that anyone with a web browser can view the inner workings of a server and all of the juicy details contained within. And at the time of writing, there were over 30,000 internet-facing Netdata dashboards. »