cbcvebase.
CVE-2024-25641
published 2024-05-14

CVE-2024-25641: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through…

PriorityP272high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
86.30%
99.7th percentile
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.

Affected

13 ranges
VendorProductVersion rangeFixed in
cacticacti< 1.2.271.2.27
cacticacti>= 0 < 1.2.16+ds1-2+deb11u41.2.16+ds1-2+deb11u4
cacticacti>= 0 < 1.2.24+ds1-1+deb12u31.2.24+ds1-1+deb12u3
cacticacti>= 0 < 1.2.27+ds1-11.2.27+ds1-1
cacticacti>= 0 < 1.2.27+ds1-11.2.27+ds1-1
cacticacti>= 0 < 1.2.10+ds1-1ubuntu1.11.2.10+ds1-1ubuntu1.1
cacticacti>= 0 < 1.2.19+ds1-2ubuntu1.11.2.19+ds1-2ubuntu1.1
cacticacti>= 0 < 1.2.26+ds1-1ubuntu0.11.2.26+ds1-1ubuntu0.1
cacticacti>= 0 < 0.8.8b+dfsg-5ubuntu0.2+esm20.8.8b+dfsg-5ubuntu0.2+esm2
cacticacti>= 0 < 0.8.8f+ds1-4ubuntu4.16.04.2+esm20.8.8f+ds1-4ubuntu4.16.04.2+esm2
cacticacti>= 0 < 1.1.38+ds1-1ubuntu0.1~esm31.1.38+ds1-1ubuntu0.1~esm3
debiancacti< cacti 1.2.24+ds1-1+deb12u3 (bookworm)cacti 1.2.24+ds1-1+deb12u3 (bookworm)
fedoraprojectfedora

Detection & IOCsextracted from sources · hover to see the quote

path/lib/import.php
path/package_import.php
url/package_import.php?package_location=0&preview_only=on&remove_orphans=on&replace_svalues=on
url/package_import.php?header=false
path/resource/<random>.php
path/var/www/html/cacti/resource/
filename<random_10chars>.php.gz
  • Monitor for authenticated POST requests to /package_import.php with a multipart file upload (import_file) containing a .gz file, especially when the uploaded archive contains embedded PHP files — this is the exploitation vector for CVE-2024-25641.
  • Alert on new or modified PHP files appearing under the Cacti /resource/ directory, as the exploit writes the malicious PHP webshell there for subsequent execution.
  • Detect GET requests to /resource/*.php on a Cacti web server — legitimate Cacti usage does not involve direct PHP execution from the resource directory; such requests indicate webshell trigger activity.
  • The vulnerability allows path traversal in the XML package filename field; monitor for filenames containing '../' sequences in import_package() calls or in uploaded Cacti package XML data.
  • The Metasploit module targets Cacti versions prior to 1.2.27 via the Import Packages feature; correlate web server logs for POST to /package_import.php from accounts with 'Import Templates' permission followed by a GET to a newly created PHP file.
  • ·Exploitation requires authentication and the 'Import Templates' permission in the Template Editor section; unauthenticated or low-privilege accounts cannot trigger this vulnerability.
  • ·The vulnerability affects Cacti versions prior to 1.2.27 only; version 1.2.27 contains the patch. Debian stable (bookworm) backported the fix to 1.2.24+ds1-1+deb12u3.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
osv7.2HIGH
vendor_debian9.1CRITICAL
vendor_ubuntu9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.