cbcvebase.
CVE-2020-14295
published 2020-06-17

CVE-2020-14295: A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because…

PriorityP267high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
86.33%
99.7th percentile
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.

Affected

11 ranges
VendorProductVersion rangeFixed in
cacticacti
cacticacti>= 0 < 1.2.13+ds1-11.2.13+ds1-1
cacticacti>= 0 < 1.2.13+ds1-11.2.13+ds1-1
cacticacti>= 0 < 1.2.13+ds1-11.2.13+ds1-1
cacticacti>= 0 < 1.2.13+ds1-11.2.13+ds1-1
cacticacti>= 0 < 0.8.8f+ds1-4ubuntu4.16.04.2+esm10.8.8f+ds1-4ubuntu4.16.04.2+esm1
cacticacti>= 0 < 1.1.38+ds1-1ubuntu0.1~esm11.1.38+ds1-1ubuntu0.1~esm1
cacticacti>= 0 < 1.2.10+ds1-1ubuntu1+esm11.2.10+ds1-1ubuntu1+esm1
debiancacti< cacti 1.2.13+ds1-1 (bookworm)cacti 1.2.13+ds1-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora

Detection & IOCsextracted from sources · hover to see the quote

path/cacti/color.php
path/cacti/index.php
command')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value='{rshell};'+where+name='path_php_binary';--+-
url/cacti/color.php?action=export&header=false&filter=1
  • Monitor HTTP GET requests to /cacti/color.php containing SQL metacharacters (e.g., single quotes, UNION SELECT, stacked semicolons) in the 'filter' query parameter.
  • Detect stacked SQL queries targeting the Cacti 'settings' table — specifically UPDATE statements setting 'path_php_binary' to an attacker-controlled shell command, followed by a trigger via host.php?action=reindex.
  • Alert on HTTP requests to /cacti/host.php?action=reindex immediately following suspicious requests to color.php, as this is the trigger step for RCE after the SQLi payload is planted.
  • Look for reverse shell indicators on the host: creation of /tmp/f as a named pipe (mkfifo) combined with outbound nc (netcat) connections, which is the payload delivered via this exploit.
  • Detect UNION-based SQL injection in color.php filter parameter targeting the user_auth table to harvest credentials: look for 'UNION+SELECT' and 'from+user_auth' in URL query strings.
  • ·Exploitation requires authenticated admin-level access to Cacti; this is not an unauthenticated vulnerability. Detections should account for the attacker first authenticating via /cacti/index.php before issuing the SQLi payload.
  • ·The exploit resets the path_php_binary value after execution, which may limit forensic artefacts in the settings table post-exploitation.
  • ·Fixed in Cacti 1.2.13; Debian packages resolved in 1.2.13+ds1-1. Ensure patched version is deployed to eliminate the attack surface entirely.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv7.2HIGH
vendor_debian7.2HIGH
vendor_ubuntu4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.