CVE-2022-46169 Overview
CVE-2022-46169 is a critical command injection vulnerability in Cacti, the open source operational monitoring and fault management platform. This vulnerability allows an unauthenticated attacker to execute arbitrary code on servers running Cacti by exploiting a flaw in the remote_agent.php file. The attack chain combines an authentication bypass with command injection, making it particularly dangerous as it requires no prior authentication.
The vulnerability has been actively exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating its use in real-world attacks against organizations running vulnerable Cacti instances.
Critical Impact
Unauthenticated remote attackers can achieve complete system compromise by executing arbitrary commands on vulnerable Cacti servers, potentially leading to data theft, lateral movement, or ransomware deployment.
Affected Products
- Cacti versions prior to 1.2.23 (1.2.x branch)
- Cacti versions prior to 1.3.0 (1.3.x branch)
- Any Cacti installation with POLLER_ACTION_SCRIPT_PHP poller items configured (common in default templates)
Discovery Timeline
- December 5, 2022 - CVE-2022-46169 published to NVD
- October 24, 2025 - Last updated in NVD database
Technical Details for CVE-2022-46169
Vulnerability Analysis
This vulnerability consists of two chained flaws that together enable unauthenticated remote code execution. The first component is an authentication bypass in the remote_agent.php file, which can be accessed without authentication. The authorization mechanism relies on the get_client_addr function to retrieve the client's IP address and resolve it to a hostname via gethostbyaddr. The system then checks if this hostname exists in the poller table.
The authentication bypass occurs because get_client_addr (defined in lib/functions.php) checks several $_SERVER variables to determine the client IP address, including variables beginning with HTTP_ which can be arbitrarily set by attackers via HTTP headers. Since a default entry exists in the poller table with the Cacti server's hostname, an attacker can bypass authentication by providing a header like Forwarded-For: <TARGETIP> where TARGETIP is the server's IP address.
The second component is a command injection vulnerability in the polldata action. When a poller_item has an action type of POLLER_ACTION_SCRIPT_PHP (value 2), the poll_for_data function uses proc_open to execute a PHP script. The $poller_id parameter is retrieved via get_nfilter_request_var, which allows arbitrary strings without sanitization. This parameter is directly inserted into the command string passed to proc_open, enabling command injection (e.g., poller_id=;id executes the id command).
Root Cause
The root cause is twofold: First, the get_client_addr function trusts user-controllable HTTP headers (HTTP_* server variables) for IP address determination, allowing IP spoofing. Second, the $poller_id parameter is passed to proc_open without proper sanitization or validation, enabling arbitrary command injection. The combination of trusting HTTP headers for authentication decisions and insufficient input validation on shell command parameters creates a critical attack surface.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP request to remote_agent.php with a spoofed Forwarded-For header matching the Cacti server's IP address. This bypasses the authentication check. The attacker then triggers the polldata action with a malicious poller_id parameter containing shell metacharacters and commands. The attacker must brute-force valid host_id and local_data_id values where the corresponding poller_item has POLLER_ACTION_SCRIPT_PHP action type, which is commonly present due to default templates like "Device - Uptime" or "Device - Polling Time".
// Patch showing the fix to get_client_addr function call (auth_login.php)
// Source: https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b
cacti_log("LOGIN: Guest User '" . $user['username'] . "' in use", false, 'AUTH');
}
- $client_addr = get_client_addr('');
+ $client_addr = get_client_addr();
db_execute_prepared(
'INSERT IGNORE INTO user_log
// Patch showing the fix to proxy_headers handling (lib/functions.php)
// Source: https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9
function get_client_addr() {
global $config, $allowed_proxy_headers;
- $proxy_headers = $config['proxy_headers'] ?? null;
+ $proxy_headers = (isset($config['proxy_headers']) ? $config['proxy_headers'] : null);
if ($proxy_headers === null) {
$last_time = read_config_option('proxy_alert');
if (empty($last_time)) {
Detection Methods for CVE-2022-46169
Indicators of Compromise
- HTTP requests to remote_agent.php containing action=polldata parameter
- Suspicious Forwarded-For, X-Forwarded-For, or similar proxy headers in web server logs pointing to internal IP addresses
- Unusual process spawning from PHP or web server processes (e.g., sh, bash, cmd.exe)
- Web server logs showing brute-force attempts with varying host_id and local_data_id parameters
- Unexpected outbound network connections from the Cacti server
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests to remote_agent.php with suspicious poller_id values containing shell metacharacters (;, |, &, $(), backticks)
- Monitor web server access logs for requests to remote_agent.php from external IP addresses, especially those containing action=polldata
- Deploy SIEM rules to correlate authentication bypass attempts with subsequent command execution patterns
- Use endpoint detection and response (EDR) solutions to monitor for suspicious child processes spawned by web server or PHP processes
Monitoring Recommendations
- Enable detailed logging for the Cacti web application and PHP error logs
- Monitor for process creation events where the parent process is the web server (Apache, Nginx) or PHP-FPM
- Implement network monitoring to detect unexpected outbound connections from monitoring infrastructure
- Review Cacti audit logs for unusual poller activity or configuration changes
How to Mitigate CVE-2022-46169
Immediate Actions Required
- Upgrade Cacti to version 1.2.23 or later (for 1.2.x branch) or 1.3.0 or later (for 1.3.x branch) immediately
- If immediate patching is not possible, restrict network access to remote_agent.php to only trusted poller IP addresses
- Review web server logs for evidence of exploitation attempts
- Implement network segmentation to limit Cacti server exposure
- Consider temporarily disabling remote agent functionality if not required
Patch Information
The vulnerability has been addressed in Cacti version 1.2.23 and the 1.3.x release branch. The patch modifies the get_client_addr function to properly handle proxy headers and sanitizes input to the proc_open call. Security patches are available via the following commits:
- Cacti Commit 7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216
- Cacti Commit a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9
- Cacti Commit b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b
For detailed information, see the GitHub Security Advisory GHSA-6p93-p743-35gf.
Workarounds
- Block external access to remote_agent.php at the web server or firewall level
- Configure web server to reject requests with suspicious proxy headers from untrusted sources
- Implement IP-based allowlisting for remote agent functionality
- Use a reverse proxy with strict input validation to filter malicious requests
# Apache configuration to restrict remote_agent.php access
# Add to your Cacti Apache configuration
<Files "remote_agent.php">
Require ip 127.0.0.1
Require ip 10.0.0.0/8
# Add your trusted poller IP addresses
Require ip YOUR_TRUSTED_POLLER_IP
</Files>
# Nginx configuration alternative
location ~ remote_agent\.php$ {
allow 127.0.0.1;
allow 10.0.0.0/8;
# Add your trusted poller IP addresses
allow YOUR_TRUSTED_POLLER_IP;
deny all;
# Continue with PHP handling
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm.sock;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
