WARNING: HACKERS ARE ACTIVELY EXPLOITING AN UNAUTHENTICATED CRITICAL COMMAND INJECTION VULNERABILITY IN CACTI, PATCH IMMEDIATELY!
CVE-2022-46169 CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Cacti is an operational and fault management monitoring solution for network devices with a graphical user interface.
Gaining access to the Cacti instance of an organization gives an attacker the opportunity to collect intelligence about the type of devices on the network and the associated IP addresses. Attackers can use the acquired intelligence to gain a foothold and/or to move laterally inside the network Attackers are actively exploiting CVE-2022-46169.
Observations indicate that attackers are leveraging CVE-2022-46169 to install botnets, such as the Mirai malware and/or a reverse shell on the host with the intent to run port scans.
The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity. If your organization has already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident.
The attack does not require user interaction and can be executed remotely without privileges.
This command injection vulnerability can be used to execute arbitrary commands if a “poller_item” with the action type “poller_action_script_php” (2) is configured.
CVE-2022-46169 is a command injection vulnerability that resides in the “remote_agent.php” file, which can be accessed without authentication.
The Centre for Cyber Security Belgium strongly recommends Windows system administrators to take the following actions:
Update vulnerable Cacti instances immediately to the most recent build available: https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf
Upscale monitoring and detection capabilities to detect any related suspicious activity to ensure a fast response in case of an intrusion.