More than 1,600 instances of the Internet-accessible device monitoring tool Cacti are vulnerable to a critical security issue that hackers have already begun to exploit.

Cacti is an operational monitoring and fault management solution for network devices that also provides graphical visualization. Thousands of instances deployed around the world are exposed on the web.

In early December 2022, a security advisory warned of a critical command injection vulnerability (tracked as CVE-2022-46169, severity rating 9.8 out of 10) in Cacti that could be exploited without authentication .

The developer released a update that fixes the vulnerabilityalso providing guidance to prevent command injection and permission bypassing.

Technical details about the glitch and how it could be exploited began to emerge the same month, along with proof-of-concept (PoC) exploit code that could be weaponized for attacks.

On January 3, SonarSource, a company that provides code quality and security products, released a technical writing of their discovery and a short video demonstrating the vulnerability:

On the same day, security researchers from The Shadowserver Foundation has noticed the exploitation attempts who delivered malware.

Initially, exploits installed botnets, such as the Mirai malware. Another exploit installed was the IRC botnet (based on PERL) which opened a reverse shell on the host and asked it to run port scans. The most recent attacks only verify the vulnerability.

According to data collected by Shadowserver researchers, attempts to exploit the CVE-2022-46169 vulnerability in Cacti have increased in the past week and the total number is currently less than two dozen.

In a report by attack surface research platform Censys for Internet-connected devices, 6,427 Cacti hosts are exposed on the web. However, determining how many are running a vulnerable version or have updated is not possible for everyone.

However, the company could count 1,637 web-accessible Cacti hosts that were vulnerable to CVE-2022-46169, many of which (465) were running version 1.1.38 of the monitoring solution, released in April 2021.

Of all the Cacti hosts for which Censys was able to determine the version number, only 26 were running an updated version that was not vulnerable to the critical flaw.

From an attacker’s perspective, accessing an organization’s Cacti instance provides the ability to learn more about the type of devices on the network and their local IP addresses.

This type of information is a boon for hackers, who get an accurate view of the network and the hosts they can attack to secure their presence or move on to more valuable systems.