CVE-2024-25641

Cacti RCE vulnerability when importing packages

Severity Score

9.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.

Cacti proporciona un framework de monitoreo operativo y gestión de fallas. Antes de la versión 1.2.27, una vulnerabilidad de escritura de archivos arbitrarios, explotable a través de la función "Importar paquetes", permitía a los usuarios autenticados que tenían el permiso "Importar plantillas" ejecutar código PHP arbitrario en el servidor web. La vulnerabilidad se encuentra dentro de la función `import_package()` definida en el script `/lib/import.php`. La función confía ciegamente en el nombre del archivo y el contenido del archivo proporcionado dentro de los datos XML, y escribe dichos archivos en la ruta base de Cacti (o incluso fuera, ya que las secuencias de Path Traversal no se filtran). Esto puede aprovecharse para escribir o sobrescribir archivos arbitrarios en el servidor web, lo que lleva a la ejecución de código PHP arbitrario u otros impactos en la seguridad. La versión 1.2.27 contiene un parche para este problema.

Cacti versions prior to 1.2.27 suffer from an arbitrary file write vulnerability that allows for remote code execution.

*Credits: N/A

CVSS Scores

GitHubv3.1 9.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-02-08 CVE Reserved
2024-05-13 CVE Published
2024-08-01 CVE Updated
2024-08-27 EPSS Updated
2024-08-28 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-20: Improper Input Validation

CAPEC

References (8)

URL	Tag	Source
http://seclists.org/fulldisclosure/2024/May/6
https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210	X_refsource_misc
https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88	X_refsource_confirm
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X

URL	Date	SRC
https://github.com/StopThatTalace/CVE-2024-25641-CACTI-RCE-1.2.26	2024-09-03
https://github.com/5ma1l/CVE-2024-25641	2024-09-05
https://github.com/thisisveryfunny/CVE-2024-25641-RCE-Automated-Exploit-Cacti-1.2.26	2024-08-28
https://github.com/Safarchand/CVE-2024-25641	2024-09-01

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cacti Search vendor "Cacti"		Cacti Search vendor "Cacti" for product "Cacti"				< 1.2.27 Search vendor "Cacti" for product "Cacti" and version " < 1.2.27"		en		Affected