CVE-2024-25641
Cacti RCE vulnerability when importing packages
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
11Exploited in Wild
-Decision
Descriptions
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.
Cacti proporciona un framework de monitoreo operativo y gestión de fallas. Antes de la versión 1.2.27, una vulnerabilidad de escritura de archivos arbitrarios, explotable a través de la función "Importar paquetes", permitía a los usuarios autenticados que tenían el permiso "Importar plantillas" ejecutar código PHP arbitrario en el servidor web. La vulnerabilidad se encuentra dentro de la función `import_package()` definida en el script `/lib/import.php`. La función confía ciegamente en el nombre del archivo y el contenido del archivo proporcionado dentro de los datos XML, y escribe dichos archivos en la ruta base de Cacti (o incluso fuera, ya que las secuencias de Path Traversal no se filtran). Esto puede aprovecharse para escribir o sobrescribir archivos arbitrarios en el servidor web, lo que lleva a la ejecución de código PHP arbitrario u otros impactos en la seguridad. La versión 1.2.27 contiene un parche para este problema.
It was discovered that Cacti did not properly apply checks to the "Package Import" feature. An attacker could possibly use this issue to perform arbitrary code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. It was discovered that Cacti did not properly sanitize values when using javascript based API. A remote attacker could possibly use this issue to inject arbitrary javascript code resulting into cross-site scripting vulnerability. This issue only affected Ubuntu 24.04 LTS.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-02-08 CVE Reserved
- 2024-05-13 CVE Published
- 2024-05-15 First Exploit
- 2025-02-13 CVE Updated
- 2025-07-08 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
CAPEC
References (16)
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/179082 | 2024-06-13 | |
| https://packetstorm.news/files/id/178584 | 2024-05-15 | |
| https://packetstorm.news/files/id/180476 | 2024-08-30 | |
| https://packetstorm.news/files/id/190474 | 2025-04-15 | |
| https://github.com/5ma1l/CVE-2024-25641 | 2024-09-05 | |
| https://github.com/thisisveryfunny/CVE-2024-25641-RCE-Automated-Exploit-Cacti-1.2.26 | 2024-08-28 | |
| https://github.com/StopThatTalace/CVE-2024-25641-CACTI-RCE-1.2.26 | 2024-09-03 | |
| https://github.com/Safarchand/CVE-2024-25641 | 2024-09-01 | |
| https://github.com/XiaomingX/cve-2024-25641-poc | 2024-12-02 | |
| https://github.com/D3Ext/CVE-2024-25641 | 2025-01-06 | |
| https://github.com/regantemudo/CVE-2024-25641-Exploit-for-Cacti-1.2.26 | 2025-03-17 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|