CVE-2020-7237
Description
Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
9- Cacti/Cactidescription
- Range: <=1.2.8
- osv-coords7 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP1
< 1.2.9-lp151.3.3.1+ 6 more
- (no CPE)range: < 1.2.9-lp151.3.3.1
- (no CPE)range: < 1.2.18-1.2
- (no CPE)range: < 1.2.9-lp151.3.3.1
- (no CPE)range: < 1.2.11-5.1
- (no CPE)range: < 1.2.9-bp151.4.3.1
- (no CPE)range: < 1.2.11-2.1
- (no CPE)range: < 1.2.9-bp151.4.3.1
Patches
Vulnerability mechanics
Root cause
"Missing input validation in the Boost Debug Log field allows shell metacharacters to be passed into a command executed by poller_automation.php."
Attack vector
An authenticated attacker with access to modify Performance Settings navigates to Console → Configuration → Settings → Performance and enters shell metacharacters in the Boost Debug Log field, e.g. `--verbose; cat /etc/passwd > rce.txt` [ref_id=1]. The value is saved even when `$input_whitelisting` is enabled. When a new poller cycle begins, `poller_automation.php` constructs a command such as `/bin/php
Affected code
The vulnerability is in `poller_automation.php`, which accepts command-line arguments such as `--debug`, `--force`, `--verbose`, `--version`, or `--help` from the Performance Boost Debug Log field. The field is saved without input validation, and the value is passed directly into a shell command executed by the poller process [ref_id=1].
What the fix does
No patch is included in the bundle. The remediation guidance recommends applying input validation on the Boost Debug Log field (e.g., checking input length and allowed characters) or replacing the free-text field with a drop-down menu that only permits the intended arguments (`--debug`, `--force`, `--verbose`, `--version`, `--help`) [ref_id=1].
Preconditions
- authAttacker must be authenticated to the Cacti web interface.
- configAttacker must have permission to modify Performance Settings.
- configThe poller must execute a new cycle after the payload is saved.
Reproduction
Navigate to Console → Configuration → Settings → Performance. In the Boost Debug Log field, enter `--verbose; cat /etc/passwd > rce.txt` and save. Wait for a new poller cycle to begin, then access `http://cacti/rce.txt` to view the contents of `/etc/passwd` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SUSOTOIEJKD2IWJHN7TY56TDZJQZJUVJ/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XLZAMGTW2OSIBLYLXWHQBGWP7M4DTRS7/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202003-40mitrevendor-advisoryx_refsource_GENTOO
- ctrsec.io/index.php/2020/01/25/cve-2020-7237-remote-code-execution-in-cacti-rrdtool/mitrex_refsource_MISC
- github.com/Cacti/cacti/issues/3201mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.