CVE-2023-37543 in Cacti
Summary
by MITRE • 08/10/2023
Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. This is a different vulnerability than CVE-2019-16723.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/18/2026
The vulnerability described in CVE-2023-37543 represents a critical insecure direct object reference flaw within the Cacti network monitoring platform version 1.2.5 and earlier. This vulnerability specifically affects the graph_xport.php component which handles graph export functionality, creating a pathway for unauthorized access to graphical data that should be restricted to authenticated users with proper permissions. The issue arises from insufficient input validation and access control mechanisms that fail to properly verify user authorization before processing requests for graph data retrieval.
The technical implementation of this vulnerability stems from the application's failure to validate the local_graph_id parameter submitted through the graph_xport.php endpoint. An attacker can manipulate this parameter to reference any graph within the system by simply modifying the parameter value in the request. This flaw directly maps to CWE-284, which describes inadequate access control mechanisms that allow unauthorized users to access resources they should not be permitted to access. The vulnerability exists because the application assumes that legitimate users will provide valid parameters without proper validation of the referenced objects against the user's authorization scope.
The operational impact of this vulnerability is significant for organizations relying on Cacti for network monitoring and performance tracking. Attackers who can exploit this vulnerability can access sensitive network performance data, including bandwidth usage patterns, system resource utilization, and other critical infrastructure metrics that would normally be restricted to authorized personnel only. This unauthorized access could potentially expose the organization's network architecture, identify vulnerable systems, and provide attackers with intelligence for further exploitation. The vulnerability affects the confidentiality and integrity aspects of the CIA triad, as it allows unauthorized data access without proper authentication or authorization checks.
Security professionals should implement immediate mitigations including upgrading to Cacti version 1.2.6 or later where this vulnerability has been patched. Organizations should also review their access control policies and ensure that proper authentication mechanisms are in place for all endpoints that handle sensitive data. Network segmentation and monitoring of unusual access patterns to graph export endpoints can help detect potential exploitation attempts. Additionally, implementing proper input validation and parameter sanitization for all user-supplied data helps prevent similar vulnerabilities from occurring in other components of the system. This vulnerability demonstrates the importance of following secure coding practices and proper access control implementation as outlined in the OWASP Top Ten and MITRE ATT&CK framework's privilege escalation and credential access techniques.