CVE-2020-8813: Cacti graph_realtime.php RCE Vulnerability

CVE-2020-8813 Overview

CVE-2020-8813 is a command injection vulnerability in Cacti 1.2.8 that allows remote attackers to execute arbitrary operating system commands via shell metacharacters injected through a cookie value. The vulnerability exists in graph_realtime.php and can be exploited when a guest user has the graph real-time privilege enabled, potentially allowing unauthenticated remote code execution.

Critical Impact
Attackers can achieve full system compromise by injecting OS commands through cookie manipulation, leading to unauthorized access, data theft, and lateral movement within affected networks.

Affected Products

Cacti version 1.2.8
Opmantek Open-AudIT version 3.3.1
Fedora versions 30, 31, and 32
openSUSE SUSE Linux Enterprise Server 12.0
Debian Linux 10.0

Discovery Timeline

2020-02-22 - CVE-2020-8813 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2020-8813

Vulnerability Analysis

This command injection vulnerability (CWE-78) resides in the graph_realtime.php component of Cacti, a widely-used network graphing and monitoring solution. The vulnerable code fails to properly sanitize user-controlled input from cookie values before passing them to shell execution functions. When the graph real-time privilege is enabled for guest users, an attacker can craft malicious cookie values containing shell metacharacters that are interpreted and executed by the underlying operating system.

The exploitation path is particularly concerning because it can be leveraged without authentication in environments where guest access to real-time graphing is permitted. This configuration is common in monitoring dashboards that provide public visibility into network statistics. The network-based attack vector combined with low complexity makes this vulnerability highly exploitable, as demonstrated by the extremely high EPSS score indicating a 94.09% probability of exploitation.

Root Cause

The root cause stems from improper input validation in graph_realtime.php. The application accepts cookie data and incorporates it into system shell commands without adequate sanitization or escaping of special characters. Shell metacharacters such as semicolons (;), pipes (|), backticks (`), and command substitution syntax ($()) are not filtered, allowing attackers to break out of the intended command context and execute arbitrary commands with the privileges of the web server process.

Attack Vector

The attack is initiated over the network by sending an HTTP request to the graph_realtime.php endpoint with a specially crafted cookie containing shell metacharacters. The attacker does not require authentication if guest users have been granted real-time graph privileges. The malicious payload embedded in the cookie is processed by the vulnerable PHP code and passed to a shell execution function, resulting in command execution on the target server.

A typical exploitation scenario involves:

Identifying a Cacti 1.2.8 instance with guest real-time graphing enabled
Crafting an HTTP request with a malicious cookie value containing shell metacharacters
The injected commands execute with web server privileges (often www-data or apache)
Establishing a reverse shell or downloading additional payloads for persistence

Public proof-of-concept exploits are available via Packet Storm Security and documented in the Cacti GitHub Issue Tracker. Additional technical analysis is available at Shells Systems.

Detection Methods for CVE-2020-8813

Indicators of Compromise

Unusual HTTP requests to /graph_realtime.php with abnormally long or encoded cookie values
Web server logs showing cookie values containing shell metacharacters (;, |, `, $())
Unexpected child processes spawned by the web server process (Apache, Nginx, PHP-FPM)
Outbound network connections originating from the web server to suspicious IP addresses
New files created in web-accessible directories or /tmp with execution permissions

Detection Strategies

Implement web application firewall (WAF) rules to detect and block shell metacharacters in cookie values
Monitor web server access logs for requests to graph_realtime.php with suspicious cookie patterns
Deploy endpoint detection rules to identify shell command spawning from web server processes
Use intrusion detection signatures for known CVE-2020-8813 exploitation patterns

Monitoring Recommendations

Enable detailed logging for the Cacti application and web server access logs
Configure SIEM correlation rules to alert on command injection patterns in HTTP traffic
Monitor process execution chains for anomalous activity originating from PHP processes
Implement file integrity monitoring on Cacti installation directories

How to Mitigate CVE-2020-8813

Immediate Actions Required

Upgrade Cacti to a patched version as soon as possible (versions after 1.2.8)
Disable guest access to the real-time graphing feature if not required
Implement network-level access controls to restrict access to Cacti management interfaces
Review web server logs for signs of prior exploitation attempts

Patch Information

Cacti has released security updates addressing this vulnerability. Organizations should upgrade to the latest stable release available from the Cacti GitHub Releases page. Linux distribution-specific patches are available through:

Workarounds

Disable the guest user account or remove real-time graph privileges from guest users
Place Cacti behind a reverse proxy with strict input validation and cookie sanitization
Restrict access to the /graph_realtime.php endpoint via web server configuration
Implement IP-based access controls to limit Cacti access to trusted networks only

bash

# Apache configuration to restrict access to graph_realtime.php
<Location /cacti/graph_realtime.php>
    Require ip 10.0.0.0/8
    Require ip 192.168.0.0/16
</Location>

# Nginx configuration to block suspicious cookie patterns
if ($http_cookie ~* "[;|`$]") {
    return 403;
}