CVE-2005-10004
published 2025-08-30CVE-2005-10004: Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. An authenticated user can inject arbitrary shell…
PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.78%
75.5th percentile
Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. An authenticated user can inject arbitrary shell commands via the graph_start GET parameter, which is improperly handled during graph rendering. This flaw allows attackers to execute commands on the underlying operating system with the privileges of the web server process, potentially compromising system integrity.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cacti | cacti | < 0.8.6d | 0.8.6d |
| cacti | cacti | >= 0 < 0.8.6d-1 | 0.8.6d-1 |
| cacti | cacti | >= 0 < 0.8.6d-1 | 0.8.6d-1 |
| cacti | cacti | >= 0 < 0.8.6d-1 | 0.8.6d-1 |
| cacti | cacti | >= 0 < 0.8.6d-1 | 0.8.6d-1 |
| debian | cacti | < cacti 0.8.6d-1 (bookworm) | cacti 0.8.6d-1 (bookworm) |
| raxnet | ian_berry_cacti | < 0.8.6-d | 0.8.6-d |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to graph_view.php containing shell metacharacters or command injection payloads in the graph_start GET parameter. ↗
- →A Metasploit module exists for this vulnerability targeting Cacti graph_view.php; look for exploit framework signatures or known Metasploit user-agent patterns in web server logs against this endpoint. ↗
- →Alert on web server child processes (e.g., sh, bash, cmd) spawned by the Cacti web server process, which may indicate successful OS command injection via graph_view.php. ↗
- ·Exploitation requires an authenticated session; unauthenticated attackers cannot directly exploit this vulnerability. Ensure Cacti authentication controls are enforced and monitor for credential abuse as a precursor. ↗
- ·All Cacti versions prior to 0.8.6-d are affected. Debian packages fixed in version 0.8.6d-1 across bookworm, bullseye, forky, sid, and trixie. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vendor_debian8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2005-10004: cacti - Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability...
vendor_debian·2005·CVSS 8.7
CVE-2005-10004 [HIGH] CVE-2005-10004: cacti - Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability...
Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. An authenticated user can inject arbitrary shell commands via the graph_start GET parameter, which is improperly handled during graph rendering. This flaw allows attackers to execute commands on the underlying operating system with the privileges of the web server process, potentially compromising system integrity.
Scope: local
bookworm: resolved (fixed in 0.8.6d-1)
bullseye: resolved (fixed in 0.8.6d-1)
forky: resolved (fixed in 0.8.6d-1)
sid: resolved (fixed in 0.8.6d-1)
trixie: resolved (fixed in 0.8.6d-1)
GHSA
GHSA-h78q-4j5r-86xx: Cacti versions prior to 0
ghsa_unreviewed·2025-12-26
CVE-2005-10004 [HIGH] CWE-78 GHSA-h78q-4j5r-86xx: Cacti versions prior to 0
Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. An authenticated user can inject arbitrary shell commands via the graph_start GET parameter, which is improperly handled during graph rendering. This flaw allows attackers to execute commands on the underlying operating system with the privileges of the web server process, potentially compromising system integrity.
OSV
CVE-2005-10004: Cacti versions prior to 0
osv·2025-08-30·CVSS 8.7
CVE-2005-10004 [HIGH] CVE-2005-10004: Cacti versions prior to 0
Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. An authenticated user can inject arbitrary shell commands via the graph_start GET parameter, which is improperly handled during graph rendering. This flaw allows attackers to execute commands on the underlying operating system with the privileges of the web server process, potentially compromising system integrity.
No detection rules found.
Exploit-DB
BZFlag 2.0.4 - undelimited string Denial of Service
exploitdb·2005-12-27
CVE-2005-4584 BZFlag 2.0.4 - undelimited string Denial of Service
BZFlag 2.0.4 - undelimited string Denial of Service
---
/*
by Luigi Auriemma
*/
#include
#include
#include
#include
#include
#ifdef WIN32
#include
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include
#include
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Opera
Exploit-DB
Battle Carry .005 Socket Termination - Denial of Service
exploitdb·2005-11-02
CVE-2005-3493 Battle Carry .005 Socket Termination - Denial of Service
Battle Carry .005 Socket Termination - Denial of Service
---
/*
by Luigi Auriemma
*/
#include
#include
#include
#include
#ifdef WIN32
#include
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include
#include
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation
Exploit-DB
Glider collectn kill 1.0.0.0 - Buffer Overflow (PoC)
exploitdb·2005-11-02
CVE-2005-3485 Glider collectn kill 1.0.0.0 - Buffer Overflow (PoC)
Glider collectn kill 1.0.0.0 - Buffer Overflow (PoC)
---
/*
by Luigi Auriemma
*/
#include
#include
#include
#include
#ifdef WIN32
#include
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include
#include
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation alr
Exploit-DB
FlatFrag 0.3 - Buffer Overflow (Denial of Service) (PoC)
exploitdb·2005-11-02
CVE-2005-3492 FlatFrag 0.3 - Buffer Overflow (Denial of Service) (PoC)
FlatFrag 0.3 - Buffer Overflow (Denial of Service) (PoC)
---
/*
by Luigi Auriemma
*/
#include
#include
#include
#include
#ifdef WIN32
#include
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include
#include
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation
Exploit-DB
GO-Global Windows Clients 3.1.0.3270 - Buffer Overflow (PoC)
exploitdb·2005-11-02
CVE-2005-3483 GO-Global Windows Clients 3.1.0.3270 - Buffer Overflow (PoC)
GO-Global Windows Clients 3.1.0.3270 - Buffer Overflow (PoC)
---
/*
by Luigi Auriemma
*/
#include
#include
#include
#ifdef WIN32
#include
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include
#include
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation alre
Exploit-DB
Scorched 3D 39.1 - Multiple Vulnerabilities (PoC)
exploitdb·2005-11-02
CVE-2005-3488 Scorched 3D 39.1 - Multiple Vulnerabilities (PoC)
Scorched 3D 39.1 - Multiple Vulnerabilities (PoC)
---
/*
by Luigi Auriemma
*/
#include
#include
#include
#include
#include
#include
#ifdef WIN32
#include
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include
#include
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error =
Exploit-DB
MultiTheftAuto 0.5 patch 1 - Server Crash / MOTD Deletion
exploitdb·2005-09-26
CVE-2005-3064 MultiTheftAuto 0.5 patch 1 - Server Crash / MOTD Deletion
MultiTheftAuto 0.5 patch 1 - Server Crash / MOTD Deletion
---
/*
by Luigi Auriemma
*/
#include
#include
#ifdef WIN32
#include
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include
#include
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation already in progr
Exploit-DB
Chris Moneymakers World Poker Championship 1.0 - Denial of Service
exploitdb·2005-08-17
CVE-2005-2639 Chris Moneymakers World Poker Championship 1.0 - Denial of Service
Chris Moneymakers World Poker Championship 1.0 - Denial of Service
---
/*
by Luigi Auriemma
*/
#include
#include
#ifdef WIN32
#include
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include
#include
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation already
Exploit-DB
netPanzer 0.8 - Remote Denial of Service
exploitdb·2005-07-14
CVE-2005-2295 netPanzer 0.8 - Remote Denial of Service
netPanzer 0.8 - Remote Denial of Service
---
/*
by Luigi Auriemma
*/
#include
#include
#ifdef WIN32
#include
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include
#include
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation already in progress"; break;
case
Exploit-DB
Yager 5.24 - Multiple Denial of Service Vulnerabilities
exploitdb·2005-04-14
CVE-2005-1165 Yager 5.24 - Multiple Denial of Service Vulnerabilities
Yager 5.24 - Multiple Denial of Service Vulnerabilities
---
/*
by Luigi Auriemma
*/
#include
#include
#include
#include
#ifdef WIN32
#include
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include
#include
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation
Exploit-DB
Scrapland 1.0 - Server Termination Denial of Service
exploitdb·2005-02-28
CVE-2005-0621 Scrapland 1.0 - Server Termination Denial of Service
Scrapland 1.0 - Server Termination Denial of Service
---
/*
by Luigi Auriemma
*/
#include
#include
#include
#include
#ifdef WIN32
#include
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include
#include
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation alr
Exploit-DB
Quake 3 Engine - Infostring Crash and Shutdown
exploitdb·2005-02-12
CVE-2005-0430 Quake 3 Engine - Infostring Crash and Shutdown
Quake 3 Engine - Infostring Crash and Shutdown
---
/*
by Luigi Auriemma
*/
#include
#include
#include
#ifdef WIN32
#include
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include
#include
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation already in progres
Exploit-DB
Armagetron Advanced 0.2.7.0 - Server Crash
exploitdb·2005-02-10
CVE-2005-0370 Armagetron Advanced 0.2.7.0 - Server Crash
Armagetron Advanced 0.2.7.0 - Server Crash
---
/*
by Luigi Auriemma
*/
#include
#include
#include
#include
#ifdef WIN32
#include
/* inserted win32.h /str0ke */
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include
#include
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: e
Exploit-DB
Xpand Rally 1.0.0.0 (Server/Clients) - Crash
exploitdb·2005-01-31
CVE-2005-0325 Xpand Rally 1.0.0.0 (Server/Clients) - Crash
Xpand Rally 1.0.0.0 (Server/Clients) - Crash
---
/*
by Luigi Auriemma
*/
#include
#include
#include
#ifdef WIN32
#include
/* inserted winerr.h /str0ke */
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include
#include
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error
Exploit-DB
Breed patch #1 - Zero-Length Remote Crash
exploitdb·2005-01-13
CVE-2005-0382 Breed patch #1 - Zero-Length Remote Crash
Breed patch #1 - Zero-Length Remote Crash
---
/*
by Luigi Auriemma
*/
#include
#include
#include
#include
#ifdef WIN32
#include
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include
#include
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation already in pro
Exploit-DB
SOLDNER Secret Wars 30830 - Denial of Service
exploitdb·2005-01-04
CVE-2005-0280 SOLDNER Secret Wars 30830 - Denial of Service
SOLDNER Secret Wars 30830 - Denial of Service
---
/*
by Luigi Auriemma
*/
#include
#include
#include
#include
#ifdef WIN32
#include
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include
#include
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation already in
Metasploit
Cacti graph_view.php Remote Command Execution
metasploit
Cacti graph_view.php Remote Command Execution
Cacti graph_view.php Remote Command Execution
This module exploits an arbitrary command execution vulnerability in the Raxnet Cacti 'graph_view.php' script. All versions of Raxnet Cacti prior to 0.8.6-d are vulnerable.
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/cacti_graphimage_exec.rbhttps://web.archive.org/web/20050305034552/http://www.cacti.net/cactid_download.phphttps://www.cacti.net/info/downloadshttps://www.exploit-db.com/exploits/16881https://www.exploit-db.com/exploits/9911https://www.vulncheck.com/advisories/cacti-graph-view-rce
2025-08-30
Published