Cacti is one of the most popular open-source network monitoring and fault management tools out there. System admins rely on it to visualize and keep tabs on the health of their IT infrastructure. But in October 2023, a security flaw (CVE-2023-39365) threatened to turn Cacti into a vulnerability. This post explains what the vulnerability is, how it works, and how attackers could exploit it—using code snippets to make things clear, even if you’re not a Cacti expert.
What is CVE-2023-39365?
CVE-2023-39365 is a SQL Injection vulnerability in Cacti. The trouble lies in how Cacti’s input validation handles *regular expressions* and the *external links* feature. A malicious user can send specifically crafted input that bypasses normal protections and runs unauthorized SQL commands against Cacti’s database. This can result in data leakage or even partial control over the database.
No workarounds exist—*you must update to at least version 1.2.25*.
Official CVE notice:
- NVD CVE-2023-39365
- Cacti Security GitHub Advisory GHSA-8x78-8wxg-6hhg
What went wrong?
Cacti allowed users to set up *external links* in graphs and dashboards. Users could supply arbitrary regular expressions—and those regexes were *not* properly sanitized before they were used in SQL queries. When combined, a hacker’s input ended up directly inside an SQL query string.
In simple terms:
If a Cacti instance had external links enabled, and an attacker had access (even limited), they could inject SQL commands, read sensitive data, and possibly alter the database.
Exploit Example (Code Snippet)
Suppose you have access to Cacti’s external link feature (often available to users/non-admins). Cacti lets you provide a regular expression when setting up a new external link. Instead of giving a legitimate regex, you might give this payload:
^admin'; SELECT user, password FROM user_auth WHERE '1'='1
On the backend, Cacti would build a query *including your input*. So, the resulting SQL written by the PHP code could look like:
// Example pseudo-code from the vulnerable part
$query = "SELECT * FROM links WHERE regex = '" . $_POST['regex'] . "'";
With our input, the query becomes
SELECT * FROM links WHERE regex = '^admin'; SELECT user, password FROM user_auth WHERE '1'='1'
Notice how the injected ; SELECT ... puts a whole new query in! This is a classic *stacked* SQL injection, which can dump user info.
Proof-of-Concept Attack
A working exploit would be custom, but using a tool like sqlmap, you could try (replace the demo URL and field/names with yours):
sqlmap -u "http://target-cacti/links.php"; --data="regex=^admin';SELECT user,password FROM user_auth WHERE '1'='1" --cookie="your-session-cookie" --dbms=mysql
Important:
This requires some form of access to the Cacti web interface and the external links feature.
Anything else readable from the database, depending on permissions
In most setups, this won’t allow total database control, but information leakage can lead to deeper attacks—especially if Cacti’s admin uses the same passwords elsewhere.
The Fix
Cacti’s developers addressed this issue in v1.2.25. The fix ensures that any user-supplied regular expression gets properly sanitized, and prevents arbitrary SQL code from slipping through.
Upgrade immediately.
Download the fixed version: Cacti v1.2.25 Release
Monitor database logs for unusual queries.
No workarounds exist—the only safe thing to do is update your Cacti install.
Key References
- NVD CVE-2023-39365
- Cacti Security Advisory
- Official fix on GitHub
Conclusion
CVE-2023-39365 is a clear example of how a small oversight in input validation can lead to major data breaches. If you’re running Cacti, *upgrade immediately* to 1.2.25 or newer. And remember, never trust user input—sanitize everything, every time.
If you found this writeup helpful, please share it with your fellow sysadmins. And always keep your open-source tools patched!
*Disclaimer: This post is for educational purposes only. Never attack systems you do not own or explicitly have permission to test.*
Timeline
Published on: 09/05/2023 22:15:09 UTC
Last modified on: 11/09/2023 05:15:10 UTC