Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-24367 — Improper Neutralization of Line Delimiters in Cacti

CWE-144 — Improper Neutralization of Line Delimiters5 documents5 sources

Severity

8.7HIGHNVD

EPSS

90.5%

top 0.39%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Cacti Debian Cacti

Timeline

PublishedJan 27

Description

Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server. This vulnerability is fixed in 1.2.29.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDcacti/cacti< 1.2.29

▶debiandebian/cacti< cacti 1.2.24+ds1-1+deb12u5 (bookworm)

▶Debiancacti/cacti< 1.2.16+ds1-2+deb11u5+3

▶CVEListV5cacti/cacti1.2.28

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2025-24367: Cacti is an open source performance and fault management framework↗2025-01-27

▶

CVEList

Cacti allows Arbitrary File Creation leading to RCE↗2025-01-27

▶

💥Exploits & PoCs

Metasploit

Cacti Graph Template authenticated RCE versions prior to 1.2.29↗

▶

📋Vendor Advisories

Debian

CVE-2025-24367: cacti - Cacti is an open source performance and fault management framework. An authentic...↗2025

▶