TLDR:
Key points of the article:
- 12 security flaws in Cacti framework addressed, including 2 critical issues
- Most severe vulnerabilities include arbitrary code execution and command injection
In the latest development, the maintainers of the Cacti open-source network monitoring and fault management framework have rectified a total of twelve security flaws, with two critical issues that could potentially lead to the execution of malicious code. The most severe vulnerabilities include an arbitrary code write vulnerability in the “Package Import” feature and a command injection flaw. These flaws could allow attackers to execute arbitrary PHP code on the server and carry out unauthorized commands respectively.
Additionally, two other high-severity flaws were also addressed, which could result in code execution through SQL injection and file inclusion. It’s important to note that the majority of these vulnerabilities impact all versions of Cacti, including versions prior to 1.2.26. The flaws have been patched in the latest version 1.2.27 released on May 13, 2024.
Noteworthy is the fact that a critical SQL injection vulnerability was disclosed in Cacti eight months prior, with another critical flaw under exploitation in early 2023. With proof-of-concept exploits available for some of these vulnerabilities, users are strongly advised to update their instances to the latest version to mitigate potential risks.