cbcvebase.
CVE-2023-49084
published 2023-12-21

CVE-2023-49084: Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection…

PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
63.77%
99.1th percentile
Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `link.php`. Impact of the vulnerability execution of arbitrary code on the server.

Affected

7 ranges
VendorProductVersion rangeFixed in
cacticacti
cacticacti
cacticacti>= 0 < 1.2.16+ds1-2+deb11u31.2.16+ds1-2+deb11u3
cacticacti>= 0 < 1.2.24+ds1-1+deb12u21.2.24+ds1-1+deb12u2
cacticacti>= 0 < 1.2.26+ds1-11.2.26+ds1-1
cacticacti>= 0 < 1.2.26+ds1-11.2.26+ds1-1
debiancacti< cacti 1.2.24+ds1-1+deb12u2 (bookworm)cacti 1.2.24+ds1-1+deb12u2 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

pathlink.php
pathpollers.php
  • CVE-2023-49084 is a Local File Inclusion (LFI) vulnerability in Cacti's link.php, chained with a SQL Injection (CVE-2023-49085) in pollers.php to achieve Remote Code Execution. Monitor for unusual include path parameters in requests to link.php.
  • A public Metasploit module (cacti_pollers_sqli_rce) exists for this CVE chain. Monitor for exploitation attempts targeting /cacti/link.php and /cacti/pollers.php from authenticated sessions.
  • Exploitation requires an authenticated user with 'Sites/Devices/Data' permission under 'General Administration'. Audit Cacti user permissions and alert on privilege assignments to this section.
  • ·Exploitation requires authentication — unauthenticated attackers cannot directly trigger this vulnerability. Ensure Cacti login endpoints are not exposed publicly and enforce strong credential policies.
  • ·This CVE (LFI in link.php) is only exploitable in combination with CVE-2023-49085 (SQLi in pollers.php). Both vulnerabilities must be present; patching either one breaks the full RCE chain. Upgrade Cacti to 1.2.26 or later.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.