cbcvebase.
CVE-2025-24367
published 2025-01-27

CVE-2025-24367: Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to…

PriorityP178high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
51.49%
98.8th percentile
Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server. This vulnerability is fixed in 1.2.29.

Affected

7 ranges
VendorProductVersion rangeFixed in
cacticacti< 1.2.291.2.29
cacticacti<= 1.2.28
cacticacti>= 0 < 1.2.16+ds1-2+deb11u51.2.16+ds1-2+deb11u5
cacticacti>= 0 < 1.2.24+ds1-1+deb12u51.2.24+ds1-1+deb12u5
cacticacti>= 0 < 1.2.28+ds1-41.2.28+ds1-4
cacticacti>= 0 < 1.2.28+ds1-41.2.28+ds1-4
debiancacti< cacti 1.2.24+ds1-1+deb12u5 (bookworm)cacti 1.2.24+ds1-1+deb12u5 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

url/graph_templates.php
otherright_axis_label
  • Monitor POST requests to /graph_templates.php for code injection patterns in the right_axis_label parameter
  • Detect outbound curl requests from the Cacti web server process, which may indicate the initial stage payload downloading a full payload from an attacker-controlled HTTP server
  • Alert on new or unexpected PHP files written to the Cacti web root directory, which may indicate successful exploitation and webshell/payload placement
  • ·Exploitation requires authentication; unauthenticated access alone is not sufficient to trigger this vulnerability
  • ·The injected payload is length-limited, so the Metasploit exploit uses a two-stage approach: a short initial payload fetches the full payload via curl from an attacker-hosted HTTP server
  • ·This vulnerability is fixed in Cacti 1.2.29; Debian stable (bookworm) fix is in 1.2.24+ds1-1+deb12u5

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vendor_debian8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.