CVE-2008-0785 in Cacti
Summary
by MITRE
Multiple SQL injection vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote authenticated users to execute arbitrary SQL commands via the (1) graph_list parameter to graph_view.php, (2) leaf_id and id parameters to tree.php, (3) local_graph_id parameter to graph_xport.php, and (4) login_username parameter to index.php/login.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/12/2025
The vulnerability identified as CVE-2008-0785 represents a critical SQL injection flaw affecting Cacti versions prior to 0.8.7b and 0.8.6k. This vulnerability resides within the web-based monitoring and graphing application Cacti, which is widely used for network monitoring and performance tracking in enterprise environments. The flaw allows authenticated remote attackers to manipulate database queries through specifically crafted input parameters, potentially leading to complete database compromise and unauthorized access to sensitive monitoring data.
The technical implementation of this vulnerability occurs across multiple entry points within the Cacti application, each representing a distinct vector for exploitation. The first attack vector targets the graph_list parameter in graph_view.php, where user input is directly concatenated into SQL queries without proper sanitization or parameterization. The second vector involves the leaf_id and id parameters in tree.php, which similarly fail to validate or escape user-supplied data before incorporating it into database operations. The third vulnerability affects the local_graph_id parameter in graph_xport.php, while the fourth vector targets the login_username parameter in index.php/login, demonstrating the widespread nature of the input validation failures throughout the application's codebase.
The operational impact of this vulnerability extends beyond simple data extraction, as successful exploitation could enable attackers to execute arbitrary SQL commands with the privileges of the database user account. This could result in data manipulation, unauthorized access to monitoring information, potential privilege escalation within the database, and in severe cases, complete system compromise. The authenticated nature of the attack means that an attacker must first obtain valid credentials, but this requirement does not significantly mitigate the risk given that many organizations struggle with credential security and access control management. The vulnerability affects organizations relying on Cacti for network monitoring, potentially exposing critical infrastructure data to unauthorized parties.
Organizations should immediately implement the vendor-provided patches for Cacti versions 0.8.7b and 0.8.6k to address this vulnerability. Additionally, implementing proper input validation and parameterized queries throughout the application codebase would prevent similar issues from occurring in the future. The vulnerability aligns with CWE-89, which specifically addresses SQL injection flaws, and represents a classic example of insecure data handling that could be mitigated through proper application security practices. From an ATT&CK framework perspective, this vulnerability maps to T1190 - Exploit Public-Facing Application and T1078 - Valid Accounts, as it requires legitimate user credentials but exploits weaknesses in application input handling to achieve unauthorized database access. Organizations should also consider implementing network segmentation, database activity monitoring, and regular security assessments to detect and prevent exploitation attempts.