by @jakaba
04 Mar 2024

Command injection in Cacti (CVE-2023-39362)

by @jakaba
04 Mar 2024

Command injection in Cacti (CVE-2023-39362)

CVEs

7.2 High Severity

Apps

Cacti
CactiCacti
0.8.8C.*
0.6.8A.*
0.8.6G.*
0.8.5A.*
0.8.7I.*
0.8.7G.*
0.8.6D.*
0.8.7C.*
0.8.6K.*
0.8.8F.*

PoC video

Summary

In Cacti 1.2.24, under certain conditions, an authenticated privileged user can use a malicious string in the SNMP options of a "Device", performing command injection and obtaining remote code execution on the underlying server.

Description

users/photos/clj8b3h1k16g10uoihwvzgsxi.png

@jakaba

74 posts

Total vcoins

64.3K

Social media links

Comments (0)