Cyber Resilience

CVE-2023-30534

MediumPublic PoC

Published: 05 September 2023

Published
05 September 2023
Modified
11 April 2025
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.5247 98.0th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-30534 is a medium-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Fedoraproject Fedora. Its CVSS base score is 4.3 (Medium).

Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Cacti, an open source operational monitoring and fault management framework, contains two instances of insecure deserialization in version 1.2.24. The flaws stem from direct use of PHP’s unserialize function on unsanitized user input in graphs_new.php within the host_new_graphs_save function, bypassing the application’s own safe deserialization routine. Although a gadget chain exists in the phpseclib library shipped in the vendor directory, the required gadgets are absent, rendering the deserializations non-exploitable in practice. The issue is tracked as CWE-502 and received a CVSS 3.1 score of 4.3.

An authenticated user with network access can supply crafted serialized data to the affected endpoint, but the missing gadgets prevent any meaningful object injection or subsequent code execution. The vulnerability therefore yields at most limited confidentiality impact under the stated attack vector.

The project addressed the issue in release 1.2.25. Administrators are advised to upgrade; no workarounds are documented. Public advisories, including the GitHub Security Advisory and downstream Fedora notices, reiterate the upgrade path and confirm the non-exploitable status due to absent gadgets.

The associated EPSS score has remained in the 0.52–0.55 range without a pronounced post-disclosure climb from a low baseline.

EU & UK References

Vulnerability details

Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included, making…

more

them inaccessible and the insecure deserializations not exploitable. Each instance of insecure deserialization is due to using the unserialize function without sanitizing the user input. Cacti has a “safe” deserialization that attempts to sanitize the content and check for specific values before calling unserialize, but it isn’t used in these instances. The vulnerable code lies in graphs_new.php, specifically within the host_new_graphs_save function. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cacti
cacti
≤ 1.2.25
fedoraproject
fedora
37, 38

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Validates or rejects untrusted serialized data before deserialization occurs.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

addresses: CWE-502

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

References