cbcvebase.
CVE-2023-39361
published 2023-09-05

CVE-2023-39361: Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
87.58%
99.7th percentile
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected

9 ranges
VendorProductVersion rangeFixed in
cacticacti< 1.2.251.2.25
cacticacti
cacticacti>= 0 < 1.2.16+ds1-2+deb11u21.2.16+ds1-2+deb11u2
cacticacti>= 0 < 1.2.24+ds1-1+deb12u11.2.24+ds1-1+deb12u1
cacticacti>= 0 < 1.2.25+ds1-11.2.25+ds1-1
cacticacti>= 0 < 1.2.25+ds1-11.2.25+ds1-1
debiancacti< cacti 1.2.24+ds1-1+deb12u1 (bookworm)cacti 1.2.24+ds1-1+deb12u1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora

Detection & IOCsextracted from sources · hover to see the quote

path/graph_view.php
url/graph_view.php?action=tree_content&node=1-1-tree_anchor&rfilter=%22or+%22%22%3D%22%28%28%22%29%29%3BSELECT+SLEEP%2810%29%3B--+-
  • Detect time-based blind SQL injection attempts against graph_view.php via the rfilter parameter; look for URL-encoded payloads containing SLEEP() or similar time-delay functions in the rfilter query parameter.
  • Unauthenticated exploitation is possible when guest users are enabled; monitor for requests to graph_view.php from unauthenticated sessions (no valid session cookie) carrying SQL metacharacters in the rfilter parameter.
  • Use response timing as a detection signal: a successful time-based SQLi payload will cause the server response to be delayed by the injected SLEEP duration (e.g., ≥10 seconds).
  • Shodan/FOFA fingerprinting for exposed Cacti instances can be performed using the favicon hash -1797138069 or page titles 'Login to Cacti' / 'cacti'.
  • ·Exploitation without authentication requires guest user accounts to be enabled in Cacti; if guest users are disabled, the attack surface is reduced to authenticated users only.
  • ·The vulnerability is fixed in Cacti version 1.2.25; instances running 1.2.24 and earlier are affected. There are no known workarounds — upgrade is the only remediation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.