Search
On this page ▾
CVE-2022-46169 — Cacti Command Injection Vulnerability

CVE-2022-46169

Cacti Network Monitor — Pre-Auth Command Injection in Polling Agent via poller_id Parameter
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What is Cacti?

Cacti is a widely used open-source network monitoring and graphing solution built on PHP and MySQL/MariaDB. It uses SNMP polling to collect device metrics (CPU, bandwidth, temperature, etc.) and renders historical graphs using RRDtool. Cacti is deployed by network administrators and NOC teams to monitor routers, switches, servers, and infrastructure equipment. Because Cacti must be reachable by the systems it monitors — and is often web-accessible for dashboards — Cacti instances frequently appear on internet-exposed or internally accessible servers, making them attractive targets for network reconnaissance and pivoting.

Overview

CVE-2022-46169 is a critical command injection vulnerability (CWE-74, CVSS 9.8) in Cacti's remote_agent.php polling component. An unauthenticated remote attacker can bypass an authorization check in the polling agent and inject arbitrary OS commands through the poller_id parameter, achieving code execution with the web server's privileges. Cacti patched the issue on December 3, 2022; by December 11 a public PoC was available and Mirai botnets were actively exploiting vulnerable Cacti instances. CISA added to KEV in February 2023.

Affected Versions

Product Vulnerable Fixed
Cacti 1.2.22 and earlier 1.2.23

Technical Details

The vulnerability (CWE-74: Injection) exists in remote_agent.php, a script invoked during polling to fetch data from Cacti's managed devices. The script includes an authorization check intended to ensure only the Cacti server itself can call it — but this check relies on comparing the requesting IP against a list of authorized Cacti pollers, which can be bypassed under certain network configurations or by manipulating the X-Forwarded-For header.

Once the authorization bypass is achieved, the script accepts a poller_id parameter that is used to construct a shell command without adequate sanitization. An attacker can supply a value containing shell metacharacters to inject arbitrary OS commands. The web server executes these commands with its own process privileges — typically www-data or equivalent, which may have sufficient access to read Cacti's database credentials and configuration files.

The vulnerability is especially impactful because Cacti stores SNMP community strings and device credentials for every monitored host — a successful attack yields credentials that can be used to access network devices directly.

Discovery

Discovered by Stefan Schiller of Sonar Research, who reported it to the Cacti project. Cacti released the fix alongside the public disclosure. The patch was quickly reverse-engineered and a PoC was published within days.

Exploitation Context

Within a week of the PoC publication, multiple threat actors incorporated CVE-2022-46169 into automated exploitation campaigns. Observed activity included:

  • Mirai botnet variants: Using the vulnerability to add Cacti servers to DDoS botnet infrastructure
  • Cryptomining operators: Deploying XMRig (Monero miner) on compromised Cacti servers
  • Credential harvesting: Extracting SNMP community strings and device credentials from Cacti's database for subsequent network device compromise
  • Persistent access: Installing backdoors for long-term access to the monitoring server and its privileged network access

Cacti's privileged position in network monitoring makes it a high-value target: successful compromise provides SNMP access to every monitored device and a vantage point inside the corporate network.

Remediation

  1. Upgrade Cacti to 1.2.23 or later: Apply the update immediately. Cacti updates are distributed through their GitHub releases page.
  2. Restrict web interface access: Cacti's web interface should not be internet-accessible. Use firewall rules to limit access to the Cacti management UI to authorized administrator IPs.
  3. Verify no compromise occurred: If Cacti was network-accessible before patching, check for unexpected processes (miners, reverse shells), new cron jobs, modified PHP files, and unauthorized access to Cacti's database.
  4. Rotate SNMP community strings: If the Cacti database was accessible post-compromise, treat all SNMP community strings stored in Cacti as compromised and rotate them across monitored devices.
  5. Review remote_agent.php access logs: Inspect web server access logs for POST requests to remote_agent.php with unusual poller_id values that may indicate exploitation attempts.
  6. Update SNMP credentials: Change SNMPv3 usernames and passwords for all monitored devices if credentials stored in Cacti may have been accessed.

Key Details

PropertyValue
CVE ID CVE-2022-46169
Vendor / Product Cacti — Cacti
NVD Published2022-12-05
NVD Last Modified2025-10-24
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-74 find similar ↗
CISA KEV Added2023-02-16
CISA KEV Deadline2023-03-09
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2023-03-09. Apply updates per vendor instructions.

Timeline

DateEvent
2022-12-03Cacti released version 1.2.23 with patch
2022-12-05CVE published; GitHub security advisory published
2022-12-11Public proof-of-concept exploit published; Mirai botnets began exploiting the vulnerability
2023-02-16CISA added to KEV
2023-03-09CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2022-46169 Vulnerability Database
CISA KEV Catalog Entry US Government
Cacti GitHub Security Advisory GHSA-6p93-p743-35gf Vendor Advisory

Last updated: 2026-05-21

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML