External risk intelligence

Cacti LFI Vulnerability Affects Unauthenticated Users

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-39938

Cacti is a web-based network monitoring and management framework. Such applications are commonly deployed as web interfaces reachable over the network to allow administrators to monitor infrastructure, making them frequently accessible as web services within operational environments.

Path Traversal

Cacti

before 1.2.31

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical vulnerability in Cacti, an open-source framework used for performance and fault management. The flaw allows unauthenticated access, potentially leading to significant system compromise. Confirming whether your organization utilizes Cacti is the primary concern.

  • Unauthenticated access to a network management system.
  • Affects systems that monitor performance and faults.
  • Confirm Cacti use to assess potential exposure.

Attack Path

How an attacker could exploit the issue

Attackers can exploit this vulnerability by targeting the Cacti web interface, which is often exposed to the network. An unauthenticated attacker can leverage specially crafted requests to read sensitive files on the server. This could allow an attacker to execute arbitrary code, leading to a complete system compromise.

  • No authentication required.
  • Triggered via graph theme or RRDtool.
  • Leads to remote code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to read arbitrary files from the server or execute arbitrary commands. This could occur when Cacti is deployed and exposed to the network and specific conditions related to graph theming or RRDtool IPC serialization are met, potentially impacting system integrity and data confidentiality.

  • Arbitrary file read or command execution.
  • Unauthenticated access over the network.
  • Compromise of system integrity and data.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners or infrastructure teams are likely responsible for addressing this vulnerability, as Cacti is a web-based performance and fault management framework. The first practical step involves identifying all Cacti installations, assessing their reachability and criticality to business operations, and then locating the accountable owner to plan remediation.

  • Own by application or infrastructure teams.
  • Verify installation reachability and business impact.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Cacti and what is it used for?

Cacti is an open-source web application designed for network performance and fault management. It provides a visual interface that administrators use to monitor, collect, and graph data from infrastructure devices like routers, switches, and servers.

What does CVE-2026-39938 mean in plain English?

This CVE refers to a vulnerability known as Local File Inclusion (LFI), classified as CWE-22. It allows an attacker to trick the Cacti software into reading files on the server that should be restricted. Because this also involves issues with how Cacti handles specific data processes, it can escalate to unauthorized command execution.

How can an attacker trigger this vulnerability?

An attacker triggers this by sending specifically crafted network requests to the Cacti web interface. The issue relies on manipulating the graph_theme settings or RRDtool IPC serialization. If these specific components are not actively used or are properly isolated, the attack vector may be harder to initiate, but the core vulnerability remains present in the code.

Is my Cacti instance at risk?

According to Halo Surface Signal, Cacti is frequently deployed as a web-based service accessible over the network for monitoring purposes. If your instance is reachable via the network, it is a primary target. You should prioritize assessing any Cacti installations that are exposed to your internal network or the public internet.

What should I do first if I run Cacti?

Your first step is to perform an inventory to locate all active Cacti installations within your environment. Once identified, verify their network reachability. Then, coordinate with the responsible infrastructure team to plan an update to version 1.2.31 or later, which resolves this security flaw.

References