Threat Signal Report

Command Injection Vulnerability (CVE-2022-46169) in Cacti Being Exploited in the Wild

description-logo Description

FortiGuard Labs is aware of a report that a recently patched vulnerability in the Cacti network monitoring and management suite is being exploited in the wild. The vulnerability (CVE-2022-46169) is a command injection vulnerability that allows a remote, unauthenticated user to execute arbitrary code on a server running vulnerable version of Cacti.

Why is this Significant?

This is significant because, although recently patched, CVE-2022-46169 is reported to have been exploited in the wild. The vulnerability is in Cacti, which is an open-source software for monitoring network devices and graphically displaying collected information.

What is CVE-2022-46169?

CVE-2022-46169 is a vulnerability in the Cacti network monitoring and management that a remote, unauthenticated attacker could exploit by sending a crafted HTTP request. Successful exploitation could result in arbitrary system command execution under the context of the target system.

The vulnerability is rated critical and has a CVSS score of 9.8.

Has the Vendor Released an Advisory for CVE-2022-46169?

Yes, the advisory is publicly available. See the Appendix for a link to "Unauthenticated Command Injection".

What Version of Cacti is Vulnerable?

The advisory released by Cacti lists 1.2.22 as a vulnerable version.

Has the Vendor Released a Patch for CVE-2022-46169?

Yes, the patch was released in v1.2.23 and v1.3.0 on December 5, 2022.

What is the Status of Protection?

FortiGuard Labs has the following IPS signature in place for

  • Cacti.remote_agent.php.Remote.Command.Execution (default action is set to "pass")

appendix-logo Appendix

Tweet (@Shadowserver)

Unauthenticated Command Injection (Cacti)

CVE-2022-46169 (MITRE)