Hackers Exploit Cacti Critical Bug to Install Malware and Open Reverse Shells
Enterprotect, a cybersecurity company, is issuing a threat advisory regarding a critical security issue in Cacti, a network device monitoring tool that also provides graphical visualization. Over 1,600 instances of Cacti reachable over the internet are vulnerable to this issue, and hackers have already started to exploit it.
What is the Threat?
The threat is a critical command injection vulnerability in Cacti, tracked as CVE-2022-46169, with a severity rating of 9.8 out of 10. This vulnerability can be exploited without authentication.
Why is it Noteworthy?
This vulnerability allows hackers to gain access to the Cacti instance of an organization, which provides them with information about the type of devices on the network and their local IP addresses. This information is valuable to hackers as it allows them to accurately view the network and identify potential targets for further attacks.
What is the Exposure or Risk?
The risk of this vulnerability is significant as it allows hackers to gain access to an organization's network and potentially move to more valuable systems. Additionally, exploitation attempts for the CVE-2022-46169 vulnerability in Cacti have increased, with a current count of under two dozen.
What are the Recommendations?
Enterprotect recommends the following steps to protect against this vulnerability:
Update to the latest version of Cacti that includes a patch for the CVE-2022-46169 vulnerability
Limit internet-facing Cacti instances to only necessary hosts
Monitor network traffic for abnormal behavior
References
Security Advisory: https://www.cacti.net/security.php
Technical Details and PoC exploit code: https://github.com/stamparm/DSJS
SonarSource Technical Write-up and Video Demonstration: https://www.sonarsource.com/blog/2021/12/cacti-rce-vulnerability-cve-2022-46169.html
The Shadowserver Foundation: https://www.shadowserver.org/
Censys: https://censys.io/