Most Cacti installations on the Internet are not fixed and are vulnerable to a critical RCE error, which is actively exploited during real attacks.

Cacti, an open source web-based tool for operational monitoring and fault management, is an interface application for the RRDTool data logging utility.

In early December 2022, the maintainers of the tool announced fixes for CVE-2022-46169 with a CVSS score of 9.8, allowing attackers to execute code on a server without authentication on which Cacti is running.

The bug was fixed on December 5, the same day it was discovered by SonarSource researchers.

A few days after SonarSource published a technical analysis of CVE-2022-46169 on January 3, Shadowserver warned that it had recorded the first exploitation attempts to implement remote commands without authentication, aimed at vulnerability, including subsequent malware downloads.

Censys resellers reported that of the 6,400 Cacti hosts it found available on the Internet, only 26 had a patched version of the tool installed. Most of the vulnerable servers are located in Brazil, Indonesia and the USA.

As the exploitation of this vulnerability continues, users are advised to update Cacti to the corrected version as soon as possible.