Login Sign Up

CVE-2025-24367

8.8 HIGH
Remote Code Execution

📋 TL;DR

An authenticated Cacti user can abuse graph creation functionality to write arbitrary PHP files to the web root, leading to remote code execution on the server. This affects all Cacti installations with versions before 1.2.29 where users have graph creation permissions.

💻 Affected Systems

Products:
  • Cacti
Versions: All versions before 1.2.29
Operating Systems: All operating systems running Cacti
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user with graph creation permissions. Default installations with default user permissions may be vulnerable.

📦 What is this software?

Cacti by Cacti

View all CVEs affecting Cacti →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise with attacker gaining shell access, data exfiltration, lateral movement, and persistence establishment.

🟠

Likely Case

Attacker creates web shells to execute arbitrary commands, potentially leading to data theft, service disruption, or further network compromise.

🟢

If Mitigated

Limited impact if proper authentication controls, file integrity monitoring, and least privilege principles are enforced.

🌐 Internet-Facing: HIGH - Internet-facing Cacti instances are directly accessible to attackers who can obtain valid credentials.
🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts can exploit this, but requires authenticated access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated access and knowledge of graph template functionality. The advisory provides technical details but no public exploit code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.29

Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-fxrq-fr7h-9rqq

Restart Required: No

Instructions:

1. Backup your Cacti database and configuration. 2. Download Cacti 1.2.29 from the official repository. 3. Replace existing files with new version. 4. Run database upgrade if prompted. 5. Verify functionality.

🔧 Temporary Workarounds

Restrict Graph Creation Permissions

all

Temporarily remove graph creation permissions from non-admin users to prevent exploitation.

UPDATE user_auth SET policy_graphs = 0 WHERE id != 1;

File Integrity Monitoring

all

Monitor web root for unauthorized PHP file creation using file integrity monitoring tools.

# Use tools like AIDE, Tripwire, or OSSEC to monitor /var/www/html/cacti/ directory

🧯 If You Can't Patch

  • Implement strict access controls to limit graph creation to trusted administrators only.
  • Deploy web application firewall rules to block suspicious file write patterns to the web root.

🔍 How to Verify

Check if Vulnerable:

Check Cacti version via web interface or by examining version.php file. If version is below 1.2.29, system is vulnerable.

Check Version:

grep '\$version' /path/to/cacti/include/global.php | head -1

Verify Fix Applied:

After patching, verify version shows 1.2.29 in web interface and test that graph creation functions work normally without errors.

📡 Detection & Monitoring

Log Indicators:

  • Unusual graph template creation events
  • PHP file creation in web root outside normal operations
  • Multiple failed authentication attempts followed by successful login

Network Indicators:

  • Unusual HTTP POST requests to graph creation endpoints
  • Unexpected file upload patterns to Cacti web paths

SIEM Query:

source="cacti.log" AND (event="graph_template_save" OR event="graph_create") | stats count by user

📊 Metadata

CVE ID: CVE-2025-24367
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-144
EPSS Score: 55.97% exploit probability (98th percentile)
Published: January 27, 2025
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON