By exploiting a chain of vulnerabilities, an attacker could have executed arbitrary code on the server

The vulnerabilities in Cacti were identified by Alexey Solovyev, Senior Specialist at Positive Technologies. Cacti is an open-source software used in data centers, telecom companies, and hosting providers for real-time monitoring, data collection, and managing network infrastructure disruptions. The vendor was notified of the threat in line with the responsible disclosure policy and has already released software patches. Users are advised to upgrade to Cacti version 1.2.27 or later.

As of May 2024, Positive Technologies Expert Security Center estimated that there were over 1,300 systems operating Cacti accessible from the internet. More than half of these systems are located in four countries: Indonesia (36.3%), Bangladesh (10.51%), the USA (9.67%), and China (6.37%).

The most severe vulnerability was CVE-2023-49085 (BDU:2024-01113), an SQL Injection vulnerability, which scored 8.8 on the CVSS v3 scale. Following this was CVE-2023-49084 (BDU:2024-03557), a Path Traversal vulnerability, rated 8.1. Lastly, CVE-2023-49086 (BDU:2024-04203), a DOM XSS vulnerability, scored 6.1.

Alexey Solovyev, Senior Specialist in the Web Application Security Analysis Group at Positive Technologies, commented: "Cacti ensures continuous network infrastructure monitoring, which is why exploiting the detected vulnerabilities can result in significant business damage. In our case, a potential attacker could have used a chain of three vulnerabilities to fully compromise Cacti and penetrate the internal network. First, the attacker would need to trick an authorized user into clicking a link to execute malicious JavaScript code. Next, the attacker could use SQL Injection to write the necessary information to the database, perform Path Traversal, and activate the infected file. This would lead to arbitrary code execution on the server."

Previously, Alexey Solovyev helped eliminate vulnerabilities in the Nagios XI and Pandora FMS monitoring systems, which could have led to the theft of private data and the hacking of network infrastructure.

In order to detect all three vulnerabilities, we recommend using static and dynamic code analyzers, such as PT Application Inspector and PT BlackBox. To block exploitation attempts, use web application firewalls like PT Application Firewall (also available in the cloud version: PT Cloud Application Firewall). Network traffic analysis tools, such as PT Network Attack Discovery (PT NAD), can detect SQL Injection and Local File Inclusion (LFI) attempts¹. To reduce the threat of remote code execution (RCE), endpoint detection and response (EDR) security solutions like MaxPatrol EDR can help. Post-exploitation of the vulnerabilities can also be detected by Behavioral Anomaly Detection (BAD), an ML module of MaxPatrol SIEM. To detect RCE vulnerabilities on your assets, you can also use the MaxPatrol VM vulnerability management system.

1. NAD SQL Injection and LFI detection rules: 10010283 and 10010284, respectively.