The majority of Cacti servers exposed to the internet are unpatched due to a critical security vulnerability that was recently patched.
This is according to attack surface management platform Censys: found Only 26 out of a total of 6,427 servers patched version Cactus (1.2.23 and 1.3.0).
of problem of the problem CVE-2022-46169 (CVSS score: 9.8), a combination of authentication bypass and command injection allows unauthenticated users to execute arbitrary code in affected versions of open source web-based monitoring solutions.
Details of this flaw, which affects versions 1.2.22 and below, were first revealed by SonarSource. This flaw was reported to the project manager on December 2nd, 2022.
“Hostname-based authentication checks are not securely implemented in most installations of Cacti,” said SonarSource researcher Stefan Schiller. I got it Earlier this month, I added “Unsanitized user input propagates into the string used to execute the external command.”
Vulnerability disclosure has also resulted in “exploitation attempts.” shadow server foundation When gray noise So far, we’ve seen warnings of malicious attacks originating from one IP address located in Ukraine.
The majority of unpatched versions (1,320) are in Brazil, followed by Indonesia, the United States, China, Bangladesh, Russia, Ukraine, the Philippines, Thailand, and the United Kingdom.
Actively Exploiting SugarCRM Vulnerability to Drop Web Shell
Development comes as SugarCRM Fixes shipped For the disclosed vulnerability being actively weaponized to drop a PHP-based web shell on 354 unique hosts, Censys Said with independent recommendations.
Bug tracked as CVE-2023-22952is concerned with cases of missing input validation that can lead to the injection of arbitrary PHP code. This has been addressed in SugarCRM versions 11.0.5 and 12.0.2.
The attack detailed by Censys uses a web shell as a conduit to execute additional commands on the infected machine with the same privileges as the user running the web service. The majority of infections have been reported in the United States, Germany, Australia, France, and the United Kingdom.
Malicious actors often take advantage of newly disclosed vulnerabilities to carry out attacks. Therefore, it is imperative that the user plugs security her holes quickly.