CVE-2025-24368
📋 TL;DR
This SQL injection vulnerability in Cacti allows attackers to manipulate database queries through the automation_tree_rules.php interface. Attackers could potentially read, modify, or delete data from the Cacti database. All Cacti installations before version 1.2.29 are affected.
💻 Affected Systems
- Cacti
📦 What is this software?
Cacti by Cacti
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, or potential remote code execution via database functions.
Likely Case
Unauthorized data access, privilege escalation, or configuration manipulation within the Cacti application.
If Mitigated
Limited impact due to proper input validation, database permissions, and network segmentation.
🎯 Exploit Status
Exploitation requires authenticated access to the vulnerable endpoint. The advisory provides technical details but no public exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.29
Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-f9c7-7rc3-574c
Restart Required: No
Instructions:
1. Backup your Cacti installation and database. 2. Download Cacti 1.2.29 from the official repository. 3. Replace the affected files or perform a full upgrade following Cacti's upgrade documentation.
🔧 Temporary Workarounds
Restrict access to automation_tree_rules.php
allBlock or restrict access to the vulnerable endpoint using web server configuration or network controls.
# Apache example: <Location /automation_tree_rules.php> Require all denied </Location>
# Nginx example: location = /automation_tree_rules.php { deny all; }
🧯 If You Can't Patch
- Implement strict input validation at the application layer for all user-supplied data.
- Apply database-level controls to limit the impact of SQL injection (principle of least privilege).
🔍 How to Verify
Check if Vulnerable:
Check if your Cacti version is below 1.2.29 by visiting the About page in the Cacti web interface or checking the version file.Check Version:
grep 'version' /path/to/cacti/include/global.php | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+'Verify Fix Applied:
Verify the installed version is 1.2.29 or higher and check that the commit c7e4ee798d263a3209ae6e7ba182c7b65284d8f0 is present in your installation.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed authentication attempts followed by access to automation_tree_rules.php
- Unexpected database errors in Cacti application logs
Network Indicators:
- HTTP requests to automation_tree_rules.php with SQL injection patterns in parameters
SIEM Query:
source="web_access_logs" AND uri="/automation_tree_rules.php" AND (query="*UNION*" OR query="*SELECT*" OR query="*INSERT*" OR query="*DELETE*")