A significant portion of internet-exposed Cacti servers remain unpatched against a recently discovered critical security vulnerability that has been actively exploited in the wild, according to attack surface management platform Censys. Out of a total of 6,427 servers, only 26 were found to be running a patched version of Cacti (1.2.23 and 1.3.0).
The vulnerability in question, designated as CVE-2022-46169, is a combination of authentication bypass and command injection that allows an unauthenticated user to execute arbitrary code on affected versions of the open-source, web-based monitoring solution. The flaw, which impacts versions 1.2.22 and below, was first reported by SonarSource on December 2, 2022. The researcher noted that “a hostname-based authorization check is not implemented safely for most installations of Cacti” and that “unsanitized user input is propagated to a string used to execute an external command.”
The public disclosure of the vulnerability has also led to an increase in exploitation attempts, with the Shadowserver Foundation and GreyNoise warning of malicious attacks originating from a single IP address located in Ukraine. The majority of unpatched versions were found in Brazil, followed by Indonesia, the U.S., China, Bangladesh, Russia, Ukraine, the Philippines, Thailand, and the U.K.
This development comes as SugarCRM releases a fix for a publicly disclosed vulnerability that has also been actively exploited to drop a PHP-based web shell on 354 unique hosts. The vulnerability tracked as CVE-2023-22952 is a case of missing input validation that could result in the injection of arbitrary PHP code and has been addressed in SugarCRM versions 11.0.5 and 12.0.2. In the attacks detailed by Censys, the web shell is used to execute additional commands on the infected machine with the same permissions as the user running the web service. The majority of infections have been reported in the U.S., Germany, Australia, France, and the U.K.
It is crucial for users to promptly address newly disclosed vulnerabilities to prevent malicious actors from exploiting them.