Unpatched Vulnerabilities in Cacti Servers Present New Threats
Recent findings from Censys, an attack surface management platform, highlight a significant cybersecurity concern regarding Cacti servers. A majority of these internet-exposed servers remain unpatched against a critical vulnerability identified as CVE-2022-46169. This flaw has been actively exploited, raising alarms for organizations relying on this open-source web monitoring solution.
Of the 6,427 Cacti servers assessed, only 26 were found to be running updated versions (1.2.23 and 1.3.0) that address the vulnerability. The exploitation potential of this flaw is severe, as it combines authentication bypass with command injection capabilities. Unauthenticated attackers could execute arbitrary code, posing grave risks to the integrity of affected systems.
The vulnerability was first reported to Cacti’s developers on December 2, 2022, by researchers from SonarSource. According to their analysis, the issue stems from inadequate hostname-based authorization checks in most installations, which allows unsanitized user inputs to influence command execution on the server.
Since its public disclosure, exploitation attempts have been observed, particularly from an IP address in Ukraine. Monitoring groups such as Shadowserver and GreyNoise have documented unauthorized access attempts linked to this vulnerability, intensifying the urgency for patch implementation across affected systems.
Geographically, the majority of unpatched Cacti installations (approximately 1,320) are located in Brazil, followed by other nations including Indonesia, the U.S., and China. This widespread vulnerability necessitates immediate attention from business owners to mitigate risks.
In a related cybersecurity development, vulnerabilities in SugarCRM have also been exploited, enabling attackers to deploy PHP-based web shells. The flaw, tracked as CVE-2023-22952, involves missing input validation that could lead to arbitrary PHP code injection. Censys reports that these web shells are used to execute further commands on compromised servers, often facilitating deeper system infiltration.
The attacks on SugarCRM are notable, with reported infections concentrated in regions such as the U.S., Germany, and Australia. This phenomenon underscores the tendency of cybercriminals to exploit freshly disclosed vulnerabilities to amplify their attacks.
Both incidents illustrate critical tactics from the MITRE ATT&CK framework, particularly concerning initial access and execution techniques. Unsanctioned installations and unpatched software create avenues for attackers, making swift remediation imperative for organizations to secure their digital infrastructure.
Business leaders must remain vigilant, ensuring timely updates and patches to mitigate the impact of these vulnerabilities. As the cyber threat landscape evolves, proactive measures should be central to cybersecurity strategies, safeguarding sensitive data against increasingly sophisticated attacks.
For further updates on cybersecurity vulnerabilities and threats, follow us on dedicated platforms, including Google News, Twitter, and LinkedIn.
