cbcvebase.
CVE-2020-7237
published 2020-01-20

CVE-2020-7237: Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS…

PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
36.82%
98.3th percentile
Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product.

Affected

6 ranges
VendorProductVersion rangeFixed in
cacticacti
cacticacti>= 0 < 1.2.9+ds1-11.2.9+ds1-1
cacticacti>= 0 < 1.2.9+ds1-11.2.9+ds1-1
cacticacti>= 0 < 1.2.9+ds1-11.2.9+ds1-1
cacticacti>= 0 < 1.2.9+ds1-11.2.9+ds1-1
debiancacti< cacti 1.2.9+ds1-1 (bookworm)cacti 1.2.9+ds1-1 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

pathpoller_automation.php
  • Monitor for shell metacharacter injection in the 'Performance Boost Debug Log' field of Cacti's poller_automation.php, which triggers OS command execution at the start of a new poller cycle.
  • Exploitation requires an authenticated session with privileges to modify Performance Settings; alert on privileged configuration changes to Cacti Performance Boost settings.
  • External PoC/exploit details published at https://ctrsec.io/index.php/2020/01/25/cve-2020-7237-remote-code-execution-in-cacti-rrdtool/ — review for additional attack patterns.
  • ·Vulnerability only affects Cacti 1.2.8; fixed in 1.2.9. Verify the installed Cacti version before triaging alerts.
  • ·OS commands execute at the start of a new poller cycle, not immediately upon saving the malicious log path — detection must account for this delayed execution window.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv8.8HIGH
vendor_debian8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.