CVE-2020-8813

Name: CVE-2020-8813
Creator: NVD / NIST
Published: 2020-02-22T02:15:10.553+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10EPSS 73.78%

Last modified Jun 17, 2026

CVE-2020-8813 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.. EPSS estimates a 73.78% chance of exploitation in the next 30 days.

Description

graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

73.78%

99.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-78

Affected Software

Vendor	Product	Versions
Cacti	Cacti	1.2.8
Fedoraproject	Fedora	30
Fedoraproject	Fedora	31
Fedoraproject	Fedora	32
Opmantek	Open-Audit	3.3.1
Opensuse	Suse Package Hub	All versions
Debian	Debian Linux	10.0

References

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.htmlExploit, Third Party Advisory
http://packetstormsecurity.com/files/156537/Cacti-1.2.8-Unauthenticated-Remote-Code-Execution.htmlThird Party Advisory, VDB Entry
http://packetstormsecurity.com/files/156538/Cacti-1.2.8-Authenticated-Remote-Code-Execution.htmlThird Party Advisory, VDB Entry
http://packetstormsecurity.com/files/156593/Cacti-1.2.8-Unauthenticated-Remote-Code-Execution.htmlThird Party Advisory, VDB Entry
http://packetstormsecurity.com/files/157477/Open-AudIT-Professional-3.3.1-Remote-Code-Execution.htmlThird Party Advisory, VDB Entry
https://drive.google.com/file/d/1A8hxTyk_NgSp04zPX-23nPbsSDeyDFio/viewExploit, Third Party Advisory
https://gist.github.com/mhaskar/ebe6b74c32fd0f7e1eedf1aabfd44129Exploit, Third Party Advisory
https://github.com/Cacti/cacti/issues/3285Issue Tracking, Third Party Advisory
https://github.com/Cacti/cacti/releasesRelease Notes
https://lists.debian.org/debian-lts-announce/2022/12/msg00039.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M77SS33IDVNGBU566TK2XVULPW3RXUQ4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAX3LDXPIKWNBGVZSIMZV7LI5K6BZRTO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XEMDQXDRNQYXOME7TACKDVCXZXZNGZE2/
https://security.gentoo.org/glsa/202004-16Third Party Advisory
https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/Exploit, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.htmlExploit, Third Party Advisory
http://packetstormsecurity.com/files/156537/Cacti-1.2.8-Unauthenticated-Remote-Code-Execution.htmlThird Party Advisory, VDB Entry
http://packetstormsecurity.com/files/156538/Cacti-1.2.8-Authenticated-Remote-Code-Execution.htmlThird Party Advisory, VDB Entry
http://packetstormsecurity.com/files/156593/Cacti-1.2.8-Unauthenticated-Remote-Code-Execution.htmlThird Party Advisory, VDB Entry
http://packetstormsecurity.com/files/157477/Open-AudIT-Professional-3.3.1-Remote-Code-Execution.htmlThird Party Advisory, VDB Entry
https://drive.google.com/file/d/1A8hxTyk_NgSp04zPX-23nPbsSDeyDFio/viewExploit, Third Party Advisory
https://gist.github.com/mhaskar/ebe6b74c32fd0f7e1eedf1aabfd44129Exploit, Third Party Advisory
https://github.com/Cacti/cacti/issues/3285Issue Tracking, Third Party Advisory
https://github.com/Cacti/cacti/releasesRelease Notes
https://lists.debian.org/debian-lts-announce/2022/12/msg00039.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M77SS33IDVNGBU566TK2XVULPW3RXUQ4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAX3LDXPIKWNBGVZSIMZV7LI5K6BZRTO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XEMDQXDRNQYXOME7TACKDVCXZXZNGZE2/
https://security.gentoo.org/glsa/202004-16Third Party Advisory
https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/Exploit, Third Party Advisory

Timeline

Published: Feb 22, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-8813?

graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.

How severe is CVE-2020-8813?

CVE-2020-8813 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 73.78% probability of exploitation in the next 30 days.

How do I fix CVE-2020-8813?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-8813?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST