CVE-2020-14295

HIGH

Cacti 1.2.12 - Authenticated SQL Injection via color.php filter Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2020-14295. PoCs published by Leonardo Paiva, 0z09e, mrg3ntl3m4n, including Metasploit module exploits/unix/http/cacti_filter_sqli_rce.

AI-analyzed exploit summary This exploit leverages SQL injection in Cacti 1.2.12 via the 'filter' parameter to dump credentials and achieve remote code execution by modifying the 'path_php_binary' setting to execute a reverse shell.

Description

A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.

Exploits (4)

exploitdb WORKING POC
by Leonardo Paiva · pythonwebappsphp
https://www.exploit-db.com/exploits/49810

This exploit leverages SQL injection in Cacti 1.2.12 via the 'filter' parameter to dump credentials and achieve remote code execution by modifying the 'path_php_binary' setting to execute a reverse shell.

Classification
Working Poc 95%
Attack Type
Sqli | Rce
Complexity
Moderate
Reliability
Reliable
Target: Cacti 1.2.12
Auth required
Prerequisites: Valid Cacti credentials · Network access to target · Listener setup for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by 0z09e · poc
https://github.com/0z09e/CVE-2020-14295

This exploit leverages an authenticated SQL injection in Cacti's `color.php` to achieve remote code execution by modifying the `path_php_binary` setting to execute a reverse shell. The PoC automates the process, including CSRF token extraction and payload delivery.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cacti 1.2.12
Auth required
Prerequisites: Valid Cacti credentials · Network access to the target · Listener set up for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by mrg3ntl3m4n · poc
https://github.com/mrg3ntl3m4n/CVE-2020-14295

This is a functional exploit for CVE-2020-14295, which chains SQL injection with remote code execution in Cacti 1.2.12. It authenticates, injects a malicious payload to modify the PHP binary path, and triggers a reverse shell via netcat.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cacti 1.2.12
Auth required
Prerequisites: Valid Cacti credentials · Network access to target · Netcat listener on attacker machine
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by h00die, Leonardo Paiva, Mayfly277 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/cacti_filter_sqli_rce.rb

This Metasploit module exploits a SQL injection vulnerability in Cacti 1.2.12 and earlier, allowing an authenticated admin to execute arbitrary SQL queries and achieve remote code execution by modifying the `path_php_binary` setting.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Cacti <= 1.2.12
Auth required
Prerequisites: Valid admin credentials · Access to the Cacti web interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/Cacti/cacti/issues/3622
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202007-03

Scores

CVSS v3 7.2
EPSS 0.8633
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (3)
cacti/cacti 1.2.12
fedoraproject/fedora 31
fedoraproject/fedora 32
Published Jun 17, 2020
Tracked Since Feb 18, 2026