CVE-2025-24367
published 2025-01-27CVE-2025-24367: Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to…
PriorityP178high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
51.49%
98.8th percentile
Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server. This vulnerability is fixed in 1.2.29.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cacti | cacti | < 1.2.29 | 1.2.29 |
| cacti | cacti | <= 1.2.28 | — |
| cacti | cacti | >= 0 < 1.2.16+ds1-2+deb11u5 | 1.2.16+ds1-2+deb11u5 |
| cacti | cacti | >= 0 < 1.2.24+ds1-1+deb12u5 | 1.2.24+ds1-1+deb12u5 |
| cacti | cacti | >= 0 < 1.2.28+ds1-4 | 1.2.28+ds1-4 |
| cacti | cacti | >= 0 < 1.2.28+ds1-4 | 1.2.28+ds1-4 |
| debian | cacti | < cacti 1.2.24+ds1-1+deb12u5 (bookworm) | cacti 1.2.24+ds1-1+deb12u5 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /graph_templates.php for code injection patterns in the right_axis_label parameter ↗
- →Detect outbound curl requests from the Cacti web server process, which may indicate the initial stage payload downloading a full payload from an attacker-controlled HTTP server ↗
- →Alert on new or unexpected PHP files written to the Cacti web root directory, which may indicate successful exploitation and webshell/payload placement ↗
- ·Exploitation requires authentication; unauthenticated access alone is not sufficient to trigger this vulnerability ↗
- ·The injected payload is length-limited, so the Metasploit exploit uses a two-stage approach: a short initial payload fetches the full payload via curl from an attacker-hosted HTTP server ↗
- ·This vulnerability is fixed in Cacti 1.2.29; Debian stable (bookworm) fix is in 1.2.24+ds1-1+deb12u5 ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vendor_debian8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2025-24367: cacti - Cacti is an open source performance and fault management framework. An authentic...
vendor_debian·2025·CVSS 8.7
CVE-2025-24367 [HIGH] CVE-2025-24367: cacti - Cacti is an open source performance and fault management framework. An authentic...
Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server. This vulnerability is fixed in 1.2.29.
Scope: local
bookworm: resolved (fixed in 1.2.24+ds1-1+deb12u5)
bullseye: resolved (fixed in 1.2.16+ds1-2+deb11u5)
forky: resolved (fixed in 1.2.28+ds1-4)
sid: resolved (fixed in 1.2.28+ds1-4)
trixie: resolved (fixed in 1.2.28+ds1-4)
OSV
CVE-2025-24367: Cacti is an open source performance and fault management framework
osv·2025-01-27·CVSS 8.7
CVE-2025-24367 [HIGH] CVE-2025-24367: Cacti is an open source performance and fault management framework
Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server. This vulnerability is fixed in 1.2.29.
No detection rules found.
No writeups or analysis indexed.
2025-01-27
Published