CVE-2020-8813

HIGH EXPLOITED IN THE WILD NUCLEI

Cacti 1.2.8 - Authenticated Remote Code Execution via Cookie Shell Metacharacter Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-8813 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 6 public exploits from researchers including Askar, mhaskar, p0dalirius. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit targets Cacti v1.2.8 by injecting a reverse shell payload via the 'Cacti' cookie in a request to 'graph_realtime.php'. It leverages unauthenticated access to execute arbitrary commands on the target system.

Description

graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.

Exploits (6)

exploitdb WORKING POC
by Askar · pythonwebappsmultiple
https://www.exploit-db.com/exploits/48145

This exploit targets Cacti v1.2.8 by injecting a reverse shell payload via the 'Cacti' cookie in a request to 'graph_realtime.php'. It leverages unauthenticated access to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Cacti v1.2.8
No auth needed
Prerequisites: Target must have Cacti v1.2.8 with guest access enabled · Network connectivity to the target · Netcat listener set up on attacker's machine
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Askar · pythonwebappsmultiple
https://www.exploit-db.com/exploits/48144

This exploit targets CVE-2020-8813 in Cacti v1.2.8, leveraging authenticated RCE via CSRF token manipulation and cookie injection to execute a reverse shell. It requires valid credentials and enables guest access to exploit the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cacti v1.2.8
Auth required
Prerequisites: Valid Cacti credentials · Network access to target · Netcat listener for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 68 stars
by mhaskar · poc
https://github.com/mhaskar/CVE-2020-8813

The repository contains two functional Python scripts demonstrating pre-auth and post-auth RCE in Cacti v1.2.8 via command injection in the 'Cacti' cookie. The exploit leverages improper input validation in 'graph_realtime.php' to execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cacti v1.2.8
No auth needed
Prerequisites: Network access to target · Cacti v1.2.8 with guest account enabled (for pre-auth)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 7 stars
by p0dalirius · remote-auth
https://github.com/p0dalirius/CVE-2020-8813-Cacti-RCE-in-graph_realtime

This repository contains a functional Python exploit for CVE-2020-8813, which allows remote command execution in Cacti 1.2.8 via command injection through the `graph_realtime.php` script. The exploit supports both authenticated and guest access modes, with options for live interactive shells or single command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cacti 1.2.8
No auth needed
Prerequisites: Cacti 1.2.8 with guest access enabled or valid credentials · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by hexcowboy · remote
https://github.com/hexcowboy/CVE-2020-8813

This repository contains a functional exploit for CVE-2020-8813, an unauthenticated remote code execution vulnerability in Cacti v1.2.8. The exploit leverages a cookie injection flaw in the `graph_realtime.php` endpoint to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Cacti v1.2.8
No auth needed
Prerequisites: Target must be running Cacti v1.2.8 · Network access to the target's `graph_realtime.php` endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by 0xm4ud · remote
https://github.com/0xm4ud/Cacti-CVE-2020-8813

This repository contains a functional exploit for CVE-2020-8813, an unauthenticated remote code execution vulnerability in Cacti v1.2.8. The exploit leverages a command injection flaw in the `graph_realtime.php` endpoint via a maliciously crafted cookie.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Cacti v1.2.8
No auth needed
Prerequisites: Network access to the target Cacti instance · Python 3 environment · Netcat for reverse shell handling
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Cacti v1.2.8 - Remote Code Execution
HIGHby gy741
Shodan: http.title:"login to cacti" || http.title:"cacti" || http.favicon.hash:"-1797138069"
FOFA: icon_hash="-1797138069" || title="cacti" || title="login to cacti"

References (16)

Core 16
Core References
Mailing List, Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202004-16
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/12/msg00039.html
Issue Tracking, Third Party Advisory
https://github.com/Cacti/cacti/issues/3285

Scores

CVSS v3 8.8
EPSS 0.7378
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-09-11
InTheWild.io 2021-04-18
CWE
CWE-78
Status published
Products (7)
cacti/cacti 1.2.8
debian/debian_linux 10.0
fedoraproject/fedora 30
fedoraproject/fedora 31
fedoraproject/fedora 32
opensuse/suse_package_hub
opmantek/open-audit 3.3.1
Published Feb 22, 2020
Tracked Since Feb 18, 2026