CVE-2024-25641 – CVE-2024-25641 is an arbitrary file write vulne... (How to Fix)

Q: What is the severity of CVE-2024-25641?

CVE-2024-25641 has a CVSS score of 9.1 (CRITICAL). CVE-2024-25641 is an arbitrary file write vulnerability in Cacti's Package Import feature that allows authenticated users with 'Import Templates' permission to write arbitrary files to the web server, potentially leading to remote code execution. This affects Cacti installations prior to version 1.2.27. The vulnerability stems from insufficient validation of XML input in the import_package() function.

📋 TL;DR

CVE-2024-25641 is an arbitrary file write vulnerability in Cacti's Package Import feature that allows authenticated users with 'Import Templates' permission to write arbitrary files to the web server, potentially leading to remote code execution. This affects Cacti installations prior to version 1.2.27. The vulnerability stems from insufficient validation of XML input in the import_package() function.

💻 Affected Systems

Products:

Cacti

Versions: All versions prior to 1.2.27

Operating Systems: All platforms running Cacti

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with 'Import Templates' permission; default installations may have users with this permission.

📦 What is this software?

Cacti by Cacti

View all CVEs affecting Cacti →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise via arbitrary PHP code execution, leading to data theft, lateral movement, or ransomware deployment.

🟠

Likely Case

Authenticated attackers with Import Templates permission gain remote code execution on the Cacti server.

🟢

If Mitigated

Limited to authenticated users with specific permissions; proper access controls reduce exposure.

🌐 Internet-Facing: HIGH - Internet-facing Cacti instances are directly exploitable by authenticated attackers.

🏢 Internal Only: HIGH - Internal attackers with valid credentials can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication but is straightforward once credentials are obtained; public exploit details exist in disclosures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.27

Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88

Restart Required: No

Instructions:

1. Backup your Cacti database and configuration. 2. Download Cacti 1.2.27 from the official repository. 3. Replace existing files with the patched version. 4. Verify the installation works correctly.

🔧 Temporary Workarounds

Disable Package Import Feature

all

Remove or restrict access to the Package Import functionality to prevent exploitation.

# Remove import_package() function from /lib/import.php or restrict file permissions

Restrict User Permissions

all

Review and remove 'Import Templates' permission from all non-essential users.

# Check user permissions in Cacti web interface under User Management

🧯 If You Can't Patch

Implement strict network segmentation to isolate Cacti servers from critical systems.
Enable detailed logging and monitoring for any Package Import activity and file writes.

🔍 How to Verify

Check if Vulnerable:

Check Cacti version via web interface or by examining the /include/cacti_version.php file.

Check Version:

grep '\$version' /path/to/cacti/include/cacti_version.php

Verify Fix Applied:

Confirm version is 1.2.27 or later and test Package Import functionality with safe XML files.

📡 Detection & Monitoring

Log Indicators:

Unusual XML import activity in Cacti logs
File write operations to unexpected locations in system logs

Network Indicators:

HTTP POST requests to import.php with XML payloads

SIEM Query:

source="cacti.log" AND "import_package" AND ("xml" OR "package")

📊 Metadata

CVE ID: CVE-2024-25641

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-20

Published: May 14, 2024

Last Updated: November 4, 2025

🔗 References

http://seclists.org/fulldisclosure/2024/May/6 Mailing List,Third Party Advisory
https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210 Patch
https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88 Exploit,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/ Product
http://seclists.org/fulldisclosure/2024/May/6 Mailing List,Third Party Advisory
https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210 Patch
https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88 Exploit,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/09/msg00027.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25641, you might also want to check these: