cbcvebase.
CVE-2024-43363
published 2024-10-07

CVE-2024-43363: Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat…

PriorityP258high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
35.81%
98.3th percentile
Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. This issue has been addressed in version 1.2.28 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected

6 ranges
VendorProductVersion rangeFixed in
cacticacti< 1.2.281.2.28
cacticacti>= 0 < 1.2.16+ds1-2+deb11u51.2.16+ds1-2+deb11u5
cacticacti>= 0 < 1.2.24+ds1-1+deb12u51.2.24+ds1-1+deb12u5
cacticacti>= 0 < 1.2.28+ds1-11.2.28+ds1-1
cacticacti>= 0 < 1.2.28+ds1-11.2.28+ds1-1
debiancacti< cacti 1.2.24+ds1-1+deb12u5 (bookworm)cacti 1.2.24+ds1-1+deb12u5 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

  • Log poisoning via malicious hostname: attacker creates a Cacti device with a hostname containing embedded PHP code, which gets written into the Cacti log file
  • RCE trigger: after log poisoning, attacker browses directly to the poisoned log file URL (now a PHP file) to execute arbitrary commands
  • Monitor Cacti installation wizard activity (specifically step 5 completion) by non-setup/admin users as an indicator of exploitation attempt
  • ·Vulnerability requires admin-level access to Cacti to create a device with a malicious hostname; exploitation is not possible without authenticated admin privileges
  • ·Fixed in Cacti version 1.2.28; Debian stable (bookworm) backport fix is in 1.2.24+ds1-1+deb12u5 and bullseye in 1.2.16+ds1-2+deb11u5 — patch version varies by distribution
  • ·No known workarounds exist for this vulnerability; upgrading is the only remediation

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
osv7.2HIGH
vendor_debian7.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.