More than 1,600 instances of the Cacti device monitoring tool reachable over the internet are vulnerable to a critical security issue that hackers have already started to exploit.
Cacti is an operational and fault management monitoring solution for network devices that also provides graphical visualization. There are thousands of instances deployed across the world exposed on the web.
In early December 2022, a security advisory warned of a critical command injection vulnerability (tracked as CVE-2022-46169, severity rating 9.8 out of 10) in Cacti that could be exploited without authentication.
The developer released an update that fixes the vulnerability, also providing advice to prevent command injection and authorization bypass.
Technical details about the issue and how it could be leveraged started to emerge the same month, along with proof-of-concept (PoC) exploit code that could be weaponized for attacks.
On January 3, SonarSource, a company that provides code quality and security products, released a technical write-up of their finding and a short video demonstrating the vulnerability.
On the same day, security researchers at The Shadowserver Foundation noticed exploitation attempts that delivered malware.
Initially, the exploits installed botnets, such as Mirai malware. Another exploit installed was IRC botnet (PERL-based) that opened a reverse shell on the host and instructed it to run port scans. The more recent attacks are just checking for vulnerability.
According to data collected by Shadowserver researchers, exploitation attempts for the CVE-2022-46169 vulnerability in Cacti increased last week and the total count currently stands under two dozen.
In a report from Censys attack surface search platform for Internet-connected devices, there are 6,427 Cacti hosts exposed on the web. Determining how many run a vulnerable version or have updated is not possible for all of them, though.
“Censys has observed 6,427 hosts on the internet running a version of Cacti. Unfortunately, we can only see the exact running software version when a specific theme (sunrise) is enabled on the web application” – Censys
However, the company could count 1,637 Cacti hosts reachable over the web that were vulnerable to CVE-2022-46169, many of them (465) running version 1.1.38 of the monitoring solution, released in April 2021.
Of all Cacti hosts for which Censys could determine the version number, only 26 were running an updated release that was not vulnerable to the critical flaw.
From an attacker’s perspective, gaining access to the Cacti instance of an organization provides the opportunity to learn about the type of devices on the network and their local IP addresses.
This type of information is a boon for hackers, who get an accurate view of the network and the hosts they can attack to secure their foothold or move to more valuable systems.