cbcvebase.
CVE-2005-10004
published 2025-08-30

CVE-2005-10004: Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. An authenticated user can inject arbitrary shell…

PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.78%
75.5th percentile
Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. An authenticated user can inject arbitrary shell commands via the graph_start GET parameter, which is improperly handled during graph rendering. This flaw allows attackers to execute commands on the underlying operating system with the privileges of the web server process, potentially compromising system integrity.

Affected

7 ranges
VendorProductVersion rangeFixed in
cacticacti< 0.8.6d0.8.6d
cacticacti>= 0 < 0.8.6d-10.8.6d-1
cacticacti>= 0 < 0.8.6d-10.8.6d-1
cacticacti>= 0 < 0.8.6d-10.8.6d-1
cacticacti>= 0 < 0.8.6d-10.8.6d-1
debiancacti< cacti 0.8.6d-1 (bookworm)cacti 0.8.6d-1 (bookworm)
raxnetian_berry_cacti< 0.8.6-d0.8.6-d

Detection & IOCsextracted from sources · hover to see the quote

pathgraph_view.php
othergraph_start (GET parameter)
  • Monitor HTTP requests to graph_view.php containing shell metacharacters or command injection payloads in the graph_start GET parameter.
  • A Metasploit module exists for this vulnerability targeting Cacti graph_view.php; look for exploit framework signatures or known Metasploit user-agent patterns in web server logs against this endpoint.
  • Alert on web server child processes (e.g., sh, bash, cmd) spawned by the Cacti web server process, which may indicate successful OS command injection via graph_view.php.
  • ·Exploitation requires an authenticated session; unauthenticated attackers cannot directly exploit this vulnerability. Ensure Cacti authentication controls are enforced and monitor for credential abuse as a precursor.
  • ·All Cacti versions prior to 0.8.6-d are affected. Debian packages fixed in version 0.8.6d-1 across bookworm, bullseye, forky, sid, and trixie.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vendor_debian8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.