The majority of Cacti servers exposed to the internet are unpatched due to a critical security vulnerability that was recently patched.
According to attack surface management platform Censys, only 26 of the total 6,427 servers were running patched versions of Cacti (1.2.23 and 1.3.0).
The issue in question is related to CVE-2022-46169 (CVSS score: 9.8). It is a combination of authentication bypass and command injection that allows unauthenticated users to execute arbitrary code in the affected version of her web-based monitoring solution, which is open source. .
Details of this flaw, which affects versions 1.2.22 and below, were first revealed by SonarSource. This flaw was reported to the project manager on December 2nd, 2022.
“Hostname-based authentication checks are not securely implemented in most installations of Cacti,” SonarSource researcher Stefan Schiller noted earlier this month, noting that “unsanitized user input is propagated to the string used to execute the external command.”
Vulnerability disclosure has also resulted in “exploitation attempts.” shadow server foundation So far, GreyNoise has warned about malicious attacks originating from a single IP address located in Ukraine.
The majority of unpatched versions (1,320) are in Brazil, followed by Indonesia, the United States, China, Bangladesh, Russia, Ukraine, the Philippines, Thailand, and the United Kingdom.
Actively Exploiting SugarCRM Vulnerability to Drop Web Shell
The development follows SugarCRM shipping a fix for a publicly disclosed vulnerability that was actively weaponized to drop a PHP-based web shell on 354 unique hosts, Censys said. stated in an independent advisory.
This bug, tracked as CVE-2023-22952, involves missing input validation that can lead to the injection of arbitrary PHP code. This has been addressed in SugarCRM versions 11.0.5 and 12.0.2.
The attack detailed by Censys uses a web shell as a conduit to execute additional commands on the infected machine with the same privileges as the user running the web service.The majority of infections have been reported in the US, Germany, Australia, France, and the UK
Malicious actors often take advantage of newly disclosed vulnerabilities to carry out attacks. Therefore, it is imperative that the user plugs security her holes quickly.
