CVE-2020-8813 Overview
CVE-2020-8813 is a command injection vulnerability in Cacti 1.2.8 that allows remote attackers to execute arbitrary operating system commands via shell metacharacters injected through a cookie value. The vulnerability exists in graph_realtime.php and can be exploited when a guest user has the graph real-time privilege enabled, potentially allowing unauthenticated remote code execution.
Critical Impact
Attackers can achieve full system compromise by injecting OS commands through cookie manipulation, leading to unauthorized access, data theft, and lateral movement within affected networks.
Affected Products
- Cacti version 1.2.8
- Opmantek Open-AudIT version 3.3.1
- Fedora versions 30, 31, and 32
- openSUSE SUSE Linux Enterprise Server 12.0
- Debian Linux 10.0
Discovery Timeline
- 2020-02-22 - CVE-2020-8813 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-8813
Vulnerability Analysis
This command injection vulnerability (CWE-78) resides in the graph_realtime.php component of Cacti, a widely-used network graphing and monitoring solution. The vulnerable code fails to properly sanitize user-controlled input from cookie values before passing them to shell execution functions. When the graph real-time privilege is enabled for guest users, an attacker can craft malicious cookie values containing shell metacharacters that are interpreted and executed by the underlying operating system.
The exploitation path is particularly concerning because it can be leveraged without authentication in environments where guest access to real-time graphing is permitted. This configuration is common in monitoring dashboards that provide public visibility into network statistics. The network-based attack vector combined with low complexity makes this vulnerability highly exploitable, as demonstrated by the extremely high EPSS score indicating a 94.09% probability of exploitation.
Root Cause
The root cause stems from improper input validation in graph_realtime.php. The application accepts cookie data and incorporates it into system shell commands without adequate sanitization or escaping of special characters. Shell metacharacters such as semicolons (;), pipes (|), backticks (`), and command substitution syntax ($()) are not filtered, allowing attackers to break out of the intended command context and execute arbitrary commands with the privileges of the web server process.
Attack Vector
The attack is initiated over the network by sending an HTTP request to the graph_realtime.php endpoint with a specially crafted cookie containing shell metacharacters. The attacker does not require authentication if guest users have been granted real-time graph privileges. The malicious payload embedded in the cookie is processed by the vulnerable PHP code and passed to a shell execution function, resulting in command execution on the target server.
A typical exploitation scenario involves:
- Identifying a Cacti 1.2.8 instance with guest real-time graphing enabled
- Crafting an HTTP request with a malicious cookie value containing shell metacharacters
- The injected commands execute with web server privileges (often www-data or apache)
- Establishing a reverse shell or downloading additional payloads for persistence
Public proof-of-concept exploits are available via Packet Storm Security and documented in the Cacti GitHub Issue Tracker. Additional technical analysis is available at Shells Systems.
Detection Methods for CVE-2020-8813
Indicators of Compromise
- Unusual HTTP requests to /graph_realtime.php with abnormally long or encoded cookie values
- Web server logs showing cookie values containing shell metacharacters (;, |, `, $())
- Unexpected child processes spawned by the web server process (Apache, Nginx, PHP-FPM)
- Outbound network connections originating from the web server to suspicious IP addresses
- New files created in web-accessible directories or /tmp with execution permissions
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block shell metacharacters in cookie values
- Monitor web server access logs for requests to graph_realtime.php with suspicious cookie patterns
- Deploy endpoint detection rules to identify shell command spawning from web server processes
- Use intrusion detection signatures for known CVE-2020-8813 exploitation patterns
Monitoring Recommendations
- Enable detailed logging for the Cacti application and web server access logs
- Configure SIEM correlation rules to alert on command injection patterns in HTTP traffic
- Monitor process execution chains for anomalous activity originating from PHP processes
- Implement file integrity monitoring on Cacti installation directories
How to Mitigate CVE-2020-8813
Immediate Actions Required
- Upgrade Cacti to a patched version as soon as possible (versions after 1.2.8)
- Disable guest access to the real-time graphing feature if not required
- Implement network-level access controls to restrict access to Cacti management interfaces
- Review web server logs for signs of prior exploitation attempts
Patch Information
Cacti has released security updates addressing this vulnerability. Organizations should upgrade to the latest stable release available from the Cacti GitHub Releases page. Linux distribution-specific patches are available through:
- Fedora Package Announcements
- openSUSE Security Announcements
- Debian LTS Security Advisory
- Gentoo GLSA-202004-16
Workarounds
- Disable the guest user account or remove real-time graph privileges from guest users
- Place Cacti behind a reverse proxy with strict input validation and cookie sanitization
- Restrict access to the /graph_realtime.php endpoint via web server configuration
- Implement IP-based access controls to limit Cacti access to trusted networks only
# Apache configuration to restrict access to graph_realtime.php
<Location /cacti/graph_realtime.php>
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
# Nginx configuration to block suspicious cookie patterns
if ($http_cookie ~* "[;|`$]") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
