CVE-2023-39361

CRITICAL NUCLEI

Cacti - Unauthenticated SQL Injection via graph_view.php

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-39361. PoCs published by ChoDeokCheol, HPT-Intern-Task-Submission. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2023-39361, an SQL injection vulnerability in Cacti's graph_view.php leading to RCE. It includes a proof-of-concept exploit demonstrating how the rfilter parameter can be manipulated to extract sensitive data from the database.

Description

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Exploits (2)

nomisec WRITEUP

by ChoDeokCheol · poc

https://github.com/ChoDeokCheol/CVE-2023-39361

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2023-39361, an SQL injection vulnerability in Cacti's graph_view.php leading to RCE. It includes a proof-of-concept exploit demonstrating how the rfilter parameter can be manipulated to extract sensitive data from the database.

Classification

Writeup 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Cacti 1.2.24

No auth needed

Prerequisites: Cacti 1.2.24 installed · Guest user access to graph_view.php

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WRITEUP

by HPT-Intern-Task-Submission · poc

https://github.com/HPT-Intern-Task-Submission/CVE-2023-39361

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2023-39361, an unauthenticated SQL injection vulnerability in Cacti v1.2.24. It includes a breakdown of the vulnerable code, lab setup instructions, and an explanation of how the `rfilter` parameter is improperly sanitized, allowing SQL injection via double quotes.

Classification

Writeup 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Cacti v1.2.24

No auth needed

Prerequisites: Access to the Cacti web interface · Docker environment for lab setup

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Cacti 1.2.24 - SQL Injection

CRITICALVERIFIEDby ritikchaddha

Shodan: title:"Login to Cacti" || http.title:"login to cacti" || http.title:"cacti" || http.favicon.hash:"-1797138069"

FOFA: icon_hash="-1797138069" || title="cacti" || title="login to cacti"

References (6)

Core 6

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html

Mailing List

https://lists.fedoraproject.org/archives/list/[email protected]/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/

Mailing List

https://lists.fedoraproject.org/archives/list/[email protected]/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/

Third Party Advisory

https://www.debian.org/security/2023/dsa-5550

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/Cacti/cacti/security/advisories/GHSA-6r43-q2fw-5wrg

Scores

CVSS v3 9.8

EPSS 0.8758

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (3)

cacti/cacti 1.2.24

fedoraproject/fedora 37

fedoraproject/fedora 38

Published Sep 05, 2023

Tracked Since Feb 18, 2026