CVE-2022-46169: Critical vulnerability affects Cacti network graphing solution

Open-source, web-based network monitoring and graphing tool Cacti received an update recently to fix a critical-severity security vulnerability that enabled executing arbitrary code on a server running Cacti.

Cacti provides a robust and extensible operational monitoring and fault management framework for users around the world. Is also a complete network graphing solution designed to harness the power of RRDTool‘s data storage and graphing functionality.

The flaw, tracked as CVE-2022-46169, is a command injection vulnerability that allows unauthenticated attackers to execute arbitrary code on a server running Cacti. The issue has a CVSS severity score of 9.8. The vulnerability exists in the remote_agent.php file. This file can be accessed without authentication.

“After the authorization of the remote_agent.php file is bypassed, an attacker can trigger different actions. One of these actions is called polldata:

switch (get_request_var('action')) {

	case 'polldata':

		// ...

		poll_for_data();

		// ...

		break;

“The called function poll_for_data retrieves a few request parameters and loads the corresponding poller_item entries from the database. If the action of a poller_item equals POLLER_ACTION_SCRIPT_PHP, the function proc_open is used to execute a PHP script:

function poll_for_data() {

	global $config;



	$local_data_ids = get_nfilter_request_var('local_data_ids');

	$host_id        = get_filter_request_var('host_id');

	$poller_id      = get_nfilter_request_var('poller_id');

	$return         = array();



	$i = 0;



	if (cacti_sizeof($local_data_ids)) {

		foreach($local_data_ids as $local_data_id) {

			input_validate_input_number($local_data_id, 'local_data_id');



			$items = db_fetch_assoc_prepared('SELECT *

				FROM poller_item

				WHERE host_id = ?

				AND local_data_id = ?',

				array($host_id, $local_data_id));

			// ...

			if (cacti_sizeof($items)) {

				foreach($items as $item) {

					switch ($item['action']) {

					// ...

					case POLLER_ACTION_SCRIPT_PHP: /* script (php script server) */

						// ...

						$cactiphp = proc_open(read_config_option('path_php_binary') . ' -q ' . $config['base_path'] . '/script_server.php realtime ' . $poller_id, $cactides, $pipes);

						// ...

The attacker-controlled parameter $poller_id is retrieved via the function get_nfilter_request_var, which allows arbitrary strings. This variable is later inserted into the string passed to proc_open, which leads to a command injection vulnerability. By e.g. providing the poller_id=;id the id command is executed,” read the security advisories.

CVE-2022-46169 flaw affects all installations for Cacti version 1.22.2. Fortunately, patches are already available. Cacti users are advised to update to the fixed versions (1.2.23 or 1.3.0).