CVE-2014-2328 in Cacti
Summary
by MITRE
lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/11/2026
The vulnerability identified as CVE-2014-2328 resides within the Cacti network monitoring platform, specifically in the lib/graph_export.php component. This issue affects versions 0.8.7g, 0.8.8b, and earlier releases, representing a critical security flaw that enables remote authenticated attackers to execute arbitrary commands on the affected system. The vulnerability stems from improper input validation and sanitization within the graph export functionality, creating a command injection vector that can be exploited by malicious users with valid credentials.
The technical flaw manifests through the handling of shell metacharacters within unspecified vectors that are processed by the graph_export.php script. When authenticated users interact with the graph export feature, the application fails to properly sanitize user-supplied input before incorporating it into system commands. This oversight allows attackers to inject malicious shell commands that are subsequently executed with the privileges of the web server process. The vulnerability operates at the intersection of command injection and privilege escalation, as it leverages existing authenticated access to achieve remote code execution on the target system.
The operational impact of this vulnerability is severe and multifaceted, as it provides attackers with a pathway to gain full control over the affected Cacti server. Once exploited, the attacker can execute arbitrary commands, potentially leading to data exfiltration, system compromise, or further lateral movement within the network. The vulnerability affects network monitoring infrastructure that is often critical to organizational security operations, making it particularly attractive to threat actors seeking persistent access to target environments. The remote nature of the exploitation means that attackers do not require physical access to the system, and the authenticated requirement reduces the barrier to entry compared to fully remote exploits.
Organizations utilizing affected versions of Cacti should immediately implement mitigations including applying the vendor-provided security patches, restricting network access to the Cacti application, and implementing proper input validation controls. The vulnerability aligns with CWE-77 and CWE-78 categories, which specifically address command injection flaws and improper neutralization of special elements used in OS commands. From an ATT&CK framework perspective, this vulnerability maps to techniques involving command and scripting interpreter execution, privilege escalation, and persistence mechanisms. Network segmentation and access controls should be strengthened to limit the blast radius of potential exploitation, while regular security assessments should verify that all patched components are properly deployed across the organization's monitoring infrastructure.