CVE-2025-24368 — SQL Injection in Cacti

CWE-89 — SQL Injection4 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.1%

top 70.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Debian Cacti

Timeline

PublishedJan 27

Description

Cacti is an open source performance and fault management framework. Some of the data stored in automation_tree_rules.php is not thoroughly checked and is used to concatenate the SQL statement in build_rule_item_filter() function from lib/api_automation.php, resulting in SQL injection. This vulnerability is fixed in 1.2.29.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDcacti/cacti< 1.2.29

▶debiandebian/cacti< cacti 1.2.24+ds1-1+deb12u5 (bookworm)

▶Debiancacti/cacti< 1.2.16+ds1-2+deb11u5+3

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2025-24368: Cacti is an open source performance and fault management framework↗2025-01-27

▶

📋Vendor Advisories

Debian

CVE-2025-24368: cacti - Cacti is an open source performance and fault management framework. Some of the ...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-45160 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶