Cyber Resilience

CVE-2023-49085

HighPublic PoC

Published: 22 December 2023

Published
22 December 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9140 99.7th percentile
Risk Priority 72 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-49085 is a high-severity SQL Injection (CWE-89) vulnerability in Cacti Cacti. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Cacti is an operational monitoring and fault management framework that is affected by a SQL injection vulnerability in versions 1.2.25 and earlier. The flaw exists in the pollers.php script and stems from insufficient input sanitization, enabling an authenticated user to inject and execute arbitrary SQL statements, as classified under CWE-89. The issue carries a CVSS 3.1 score of 8.8.

An authorized user with access to the affected script can supply crafted input to pollers.php and achieve arbitrary SQL execution on the underlying database. Public references indicate this can be escalated to remote code execution in practice.

The GitHub security advisory GHSA-vr3c-38wh-g855 and subsequent distribution notices from Debian and Fedora reference the issue, though the original disclosure stated that no patch was available at the time of publication. A proof-of-concept exploit demonstrating remote code execution has been published on Packet Storm.

The associated EPSS score reached a peak of 0.9140 and remains at that level, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component…

more

is the `pollers.php`. Impact of the vulnerability - arbitrary SQL code execution. As of time of publication, a patch does not appear to exist.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cacti
cacti
≤ 1.2.25

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References