CVE-2022-46169
Confirmed PUBLISHEDUnauthenticated Command Injection
Recommended Action
Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
At a Glance
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: `. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call, the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a productive instance because this action is added by some predefined templates like `Device - Uptime` or `Device - Polling Time`. This command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP address. This could be done by not honoring the `HTTP_...` `$_SERVER` variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23` being the first release containing the patch.
- CVE Published
- Dec 05, 2022
- Exploitation Reported
- Feb 16, 2023
- CVSS
- 9.8 Critical
- EPSS
- 99.8%
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| cacti |
cacti
|
- to < 1.2.23 |
Affected |
| Cacti |
cacti
|
< 1.2.23 |
Affected |
CVE References
- https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf github.com · CVE Record https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf
- https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216 github.com · CVE Record https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0...
- https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9 github.com · CVE Record https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30e...
- https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b github.com · CVE Record https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd86...
Recommended Actions
- Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
- Review sensor telemetry for request paths, attacker IPs, and payload patterns that may inform detection and exposure validation.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| CISA First | 2023-02-16 00:00 UTC |
| The Shadowserver | 2026-07-03 00:00 UTC |
| KEVIntel | 2026-07-10 03:25 UTC |
Operational indicators for this CVE are listed on the Detection tab.
Observed Exploitation Attempts
Exploitation attempts against this vulnerability observed first-hand by KEVIntel private honeypots over the last 30 days.
- Attempts Observed
- 4
- Unique Attacker IPs
- 3
- Attacker Countries
- 🇯🇵 🇲🇩 🇳🇱
- Sensors Observed
- 3
Exploitation Attempts Over the Last 11 Days
First observed (all time) 2026-07-10 03:21 UTC · Last observed 2026-07-18 23:04 UTC
See more exploitation detail
- Pro — sensor software/region breakdown and 24h/7d window summaries.
- Enterprise — raw attacker IPs, request paths, User-Agents, and payloads.
Indicators of Compromise (IoCs)
Attacker IP IoCs observed in KEVIntel sensors are available to Pro and Enterprise accounts on the Detection tab and through the Pro API.
Learn about Pro API accessObserved Detection Signals (30d)
Aggregate counts from KEVIntel sensor telemetry for this CVE.
- Distinct request paths
- 1
- Distinct User-Agents
- 3
The specific request paths and User-Agents attackers are using are available on Pro and Enterprise plans.
Scanner Artifacts
Nuclei and Metasploit references linked to this CVE.
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-46169.yaml | Apr 25, 2025 |
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/cacti_unauthenticated_cmd_injection.rb | Apr 28, 2025 |
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
Exploited in the wild
Recorded 2023-02-16 00:00:00 UTC · CISA
Active exploitation observed
Recorded 2026-07-10 03:21:08 UTC · KEVIntel sensor
Proof of concept available
Recorded 2022-12-08 01:52:13 UTC · GitHub
Weaknesses (CWE)
-
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
-
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
-
Incorrect Authorization
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/cacti_unauthenticated_cmd_injection.rb | Apr 28, 2025 |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-46169.yaml | Apr 25, 2025 |
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2023-05-01 20:00:23 UTC · 41 stars
This is a exploit of CVE-2022-46169 to cacti 1.2.22. This exploit allows through an RCE to obtain a reverse shell on your computer.
github · Created 2023-05-01 14:29:28 UTC · 2 stars
Exploit for cacti version 1.2.22
github · Created 2023-04-13 08:55:08 UTC · 3 stars
Fixed exploit for CVE-2022-46169 (originally from https://www.exploit-db.com/exploits/51166)
github · Created 2023-04-07 23:40:53 UTC · 2 stars
Unauthenticated Remote Code Execution through authentication bypass and command injection in Cacti < 1.2.23 and < 1.3.0
github · Created 2023-01-16 10:21:26 UTC · 3 stars
RCE POC for CVE-2022-46169
github · Created 2023-01-15 22:46:52 UTC · 2 stars
Cacti: Unauthenticated Remote Code Execution Exploit in Ruby
github · Created 2023-01-13 05:37:56 UTC · 10 stars
Exploit to CVE-2022-46169 vulnerability
github · Created 2023-01-05 16:56:06 UTC · 30 stars
PoC for CVE-2022-46169 - Unauthenticated RCE on Cacti <= 1.2.22
github · Created 2023-01-02 18:03:26 UTC · 3 stars
Cacti Unauthenticated Command Injection
github · Created 2022-12-16 16:16:35 UTC · 1 stars
CVE-2022-46169 - Cacti Blind Remote Code Execution (Pre-Auth)
github · Created 2022-12-08 01:52:13 UTC · 48 stars
CVE-2022-46169 Cacti remote_agent.php Unauthenticated Command Injection.
nuclei · Created Unknown
metasploit · Created Unknown
Metasploit module for CVE-2022-46169
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
03:21 UTC 9 days ago03:21 UTC · 9 days ago
Observed by KEVIntel sensors
Evidence-backed exploitation signal
-
03:21 UTC 9 days ago03:21 UTC · 9 days ago
Indicators of compromise added (3)
Indicators of compromise recorded
-
00:00 UTC 16 days ago00:00 UTC · 16 days ago
KEV confirmed by The Shadowserver
Exploitation attested by an external source
-
15:02 UTC about 1 year ago15:02 UTC · about 1 year ago
Metasploit module available
Exploit module available
-
00:00 UTC about 1 year ago00:00 UTC · about 1 year ago
Nuclei template available
Scanner coverage available
-
00:00 UTC over 3 years ago00:00 UTC · over 3 years ago
Added to CISA KEV
Listed in the CISA Known Exploited Vulnerabilities catalog
-
01:52 UTC over 3 years ago01:52 UTC · over 3 years ago
Public PoC available
Public proof-of-concept code published
-
20:48 UTC over 3 years ago20:48 UTC · over 3 years ago
CVE published
Vulnerability disclosed publicly
-
17:27 UTC over 3 years ago17:27 UTC · over 3 years ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2022-46169
{
"cve_id": "CVE-2022-46169",
"title": "Unauthenticated Command Injection",
"affected_vendor": "Cacti",
"affected_product": "cacti",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "Confirmed",
"cvss_score": 9.8,
"epss_score": 0.99826,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": true
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}