CVE-2024-25641
published 2024-05-14CVE-2024-25641: Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through…
PriorityP272high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
86.30%
99.7th percentile
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cacti | cacti | < 1.2.27 | 1.2.27 |
| cacti | cacti | >= 0 < 1.2.16+ds1-2+deb11u4 | 1.2.16+ds1-2+deb11u4 |
| cacti | cacti | >= 0 < 1.2.24+ds1-1+deb12u3 | 1.2.24+ds1-1+deb12u3 |
| cacti | cacti | >= 0 < 1.2.27+ds1-1 | 1.2.27+ds1-1 |
| cacti | cacti | >= 0 < 1.2.27+ds1-1 | 1.2.27+ds1-1 |
| cacti | cacti | >= 0 < 1.2.10+ds1-1ubuntu1.1 | 1.2.10+ds1-1ubuntu1.1 |
| cacti | cacti | >= 0 < 1.2.19+ds1-2ubuntu1.1 | 1.2.19+ds1-2ubuntu1.1 |
| cacti | cacti | >= 0 < 1.2.26+ds1-1ubuntu0.1 | 1.2.26+ds1-1ubuntu0.1 |
| cacti | cacti | >= 0 < 0.8.8b+dfsg-5ubuntu0.2+esm2 | 0.8.8b+dfsg-5ubuntu0.2+esm2 |
| cacti | cacti | >= 0 < 0.8.8f+ds1-4ubuntu4.16.04.2+esm2 | 0.8.8f+ds1-4ubuntu4.16.04.2+esm2 |
| cacti | cacti | >= 0 < 1.1.38+ds1-1ubuntu0.1~esm3 | 1.1.38+ds1-1ubuntu0.1~esm3 |
| debian | cacti | < cacti 1.2.24+ds1-1+deb12u3 (bookworm) | cacti 1.2.24+ds1-1+deb12u3 (bookworm) |
| fedoraproject | fedora | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for authenticated POST requests to /package_import.php with a multipart file upload (import_file) containing a .gz file, especially when the uploaded archive contains embedded PHP files — this is the exploitation vector for CVE-2024-25641. ↗
- →Alert on new or modified PHP files appearing under the Cacti /resource/ directory, as the exploit writes the malicious PHP webshell there for subsequent execution. ↗
- →Detect GET requests to /resource/*.php on a Cacti web server — legitimate Cacti usage does not involve direct PHP execution from the resource directory; such requests indicate webshell trigger activity. ↗
- →The vulnerability allows path traversal in the XML package filename field; monitor for filenames containing '../' sequences in import_package() calls or in uploaded Cacti package XML data. ↗
- →The Metasploit module targets Cacti versions prior to 1.2.27 via the Import Packages feature; correlate web server logs for POST to /package_import.php from accounts with 'Import Templates' permission followed by a GET to a newly created PHP file. ↗
- ·Exploitation requires authentication and the 'Import Templates' permission in the Template Editor section; unauthenticated or low-privilege accounts cannot trigger this vulnerability. ↗
- ·The vulnerability affects Cacti versions prior to 1.2.27 only; version 1.2.27 contains the patch. Debian stable (bookworm) backported the fix to 1.2.24+ds1-1+deb12u3. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
osv7.2HIGH
vendor_debian9.1CRITICAL
vendor_ubuntu9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Cacti vulnerabilities
vendor_ubuntu·2024-08-20·CVSS 9.1
CVE-2024-29894 [CRITICAL] Cacti vulnerabilities
Title: Cacti vulnerabilities
Summary: Several security issues were fixed in Cacti.
It was discovered that Cacti did not properly apply checks to the "Package
Import" feature. An attacker could possibly use this issue to perform
arbitrary code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu
22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-25641)
It was discovered that Cacti did not properly sanitize values when using
javascript based API. A remote attacker could possibly use this issue to
inject arbitrary javascript code resulting into cross-site scripting
vulnerability. This issue only affected Ubuntu 24.04 LTS. (CVE-2024-29894)
It was discovered that Cacti did not properly sanitize values when managing
data queries. A remote attacker could possibly use this iss
Debian
CVE-2024-25641: cacti - Cacti provides an operational monitoring and fault management framework. Prior t...
vendor_debian·2024·CVSS 9.1
CVE-2024-25641 [CRITICAL] CVE-2024-25641: cacti - Cacti provides an operational monitoring and fault management framework. Prior t...
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch f
OSV
cacti vulnerabilities
osv·2024-08-20·CVSS 7.2
CVE-2024-25641 [HIGH] cacti vulnerabilities
cacti vulnerabilities
It was discovered that Cacti did not properly apply checks to the "Package
Import" feature. An attacker could possibly use this issue to perform
arbitrary code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu
22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-25641)
It was discovered that Cacti did not properly sanitize values when using
javascript based API. A remote attacker could possibly use this issue to
inject arbitrary javascript code resulting into cross-site scripting
vulnerability. This issue only affected Ubuntu 24.04 LTS. (CVE-2024-29894)
It was discovered that Cacti did not properly sanitize values when managing
data queries. A remote attacker could possibly use this issue to inject
arbitrary javascript code resulting into cross-si
OSV
CVE-2024-25641: Cacti provides an operational monitoring and fault management framework
osv·2024-05-14·CVSS 7.2
CVE-2024-25641 [HIGH] CVE-2024-25641: Cacti provides an operational monitoring and fault management framework
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch f
No detection rules found.
Exploit-DB
Cacti 1.2.26 - Remote Code Execution (RCE) (Authenticated)
exploitdb·2025-04-15·CVSS 9.1
CVE-2024-25641 [CRITICAL] Cacti 1.2.26 - Remote Code Execution (RCE) (Authenticated)
Cacti 1.2.26 - Remote Code Execution (RCE) (Authenticated)
---
# Exploit Title: Cacti 1.2.26 - Remote Code Execution (RCE) (Authenticated)
# Date: 06/01/2025
# Exploit Author: D3Ext
# Vendor Homepage: https://cacti.net/
# Software Link: https://github.com/Cacti/cacti/archive/refs/tags/release/1.2.26.zip
# Version: 1.2.26
# Tested on: Kali Linux 2024
# CVE: CVE-2024-25641
#!/usr/bin/python3
import os
import requests
import base64
import gzip
import time
import argparse
import string
import random
from bs4 import BeautifulSoup
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding, rsa
from cryptography.hazmat.primitives import serialization
def get_random_string(length):
letters = string.ascii_lowercase
result_str = ''.join(rando
Metasploit
Cacti Import Packages RCE
metasploit·CVSS 7.2
CVE-2024-25641 [HIGH] Cacti Import Packages RCE
Cacti Import Packages RCE
This exploit module leverages an arbitrary file write vulnerability (CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It abuses the `Import Packages` feature to upload a specially crafted package that embeds a PHP file. Cacti will extract this file to an accessible location. The module finally triggers the payload to execute arbitrary PHP code in the context of the user running the web server. Authentication is needed and the account must have access to the `Import Packages` feature. This is granted by setting the `Import Templates` permission in the `Template Editor` section.
Checkpoint
20th May – Threat Intelligence Report
blogs_checkpoint·2024-05-20
CVE-2024-30051 20th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 20th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 20th May, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Australian electronic prescriptions provider MediSecure suffered a significant ransomware attack, leading to widespread disruptions and data breaches. The impact of the attack has been profound, broadly affecting healthcare data broadly in the country.
WebTPA, an American healthcare management and administrative services provide
arXiv
AXE: An Agentic eXploit Engine for Confirming Zero-Day Vulnerability Reports
arxiv_fulltext·2026-02-15
AXE: An Agentic eXploit Engine for Confirming Zero-Day Vulnerability Reports
AXE: An Agentic eXploit Engine for Confirming Zero-Day Vulnerability Reports
Amirali [email protected]
Drexel University, Philadelphia, PA
Tu [email protected]
Drexel University, Philadelphia, PA
Kostadin [email protected]
Virginia Commonwealth University, Richmond, VA
Preetha [email protected]
Drexel University, Philadelphia, PA
## Abstract
Vulnerability detection tools are widely adopted in software projects, yet they often overwhelm maintainers with false positives and non-actionable reports. Automated exploitation systems can help validate these reports; however, existing approaches typically operate in isolation from detection pipelines, failing to leverage readily available metadata such as vulnerability type and source-code
http://seclists.org/fulldisclosure/2024/May/6https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88https://lists.fedoraproject.org/archives/list/[email protected]/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/http://seclists.org/fulldisclosure/2024/May/6https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88https://lists.debian.org/debian-lts-announce/2024/09/msg00027.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
2024-05-14
Published