Hackers use Cacti critical Bug to open reverse shells and install malware

Hackers have exploited a security vulnerability that makes more than 1,600 Cacti devices monitoring tools available over the Internet vulnerable.

Cacti, an operational fault and management solution for network devices, provides visual visualization. You can find thousands of Cacti instances around the globe on the internet.

A security advisory was issued in December 2022 warning of a critical command injection vulnerability. It is tracked as CVE-2022-466169 and has a severity rating of 9.8/10.

Developer released . It also provides advice on how to avoid command injection and bypass authorization.

The issue was first described in technical details and how they could be exploited. In the same month came proof-of-concept exploit code (PoC), which could be used to launch attacks.

SonarSource is a security and code quality company. On January 3 SonarSource released a about their discovery and a video showing the vulnerability.

[embedded content]

Security researchers from Shadowserver Foundation discovered that exploitations had been made and delivered malware.

Initial exploits were able to install botnets such as Mirai malware. IRC botnet, PERL-based, was another exploit that was installed. It opened a reverse shell and told the host to perform port scans. These attacks were more recent and are only for checking for vulnerabilities.

Shadowserver data shows that exploit attempts to exploit the CVE-2022-461169 vulnerability in Cacti have increased over the past week, with the current count of less than two dozen.

Censys’ attack surface platform for Internet-connected devices found 6,427 Cacti hosts online in a Censys report. It is impossible to determine how many of these hosts are running vulnerable versions or have recently updated.

” Censys observed 6,427 hosts online running Cacti. We can’t see which version of Cacti is running on the internet unless a particular theme is selected ( ).

The company was able to count 1,637 Cacti hosts that could be reached over the internet and were potentially vulnerable to CVE-2022-466169. Many of these (465) are running the April 2021 release of version 1.1.38.

Only 26 of the Cacti hosts that Censys was able to determine version numbers were using an up-to-date release.

An attacker can gain access to the Cacti instance to obtain information about devices and IP addresses within the organization.

Hackers find this information a great boon. They can get a clear view of the network, as well as the hosts that they can attack in order to gain traction or transfer to better systems.