CVE-2024-25641
Published: 14 May 2024
Summary
CVE-2024-25641 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Cacti Cacti. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Cacti, an operational monitoring and fault management framework, contains an arbitrary file write vulnerability in versions prior to 1.2.27. The flaw resides in the import_package() function within lib/import.php, which processes XML data supplied through the Package Import feature. It accepts unvalidated filenames and file contents without filtering path traversal sequences, allowing writes to arbitrary locations under the Cacti base directory.
An authenticated user holding the Import Templates permission can exploit the issue by crafting a malicious package XML. This permits writing or overwriting files on the web server, including PHP scripts that enable remote code execution with the privileges of the web server process. The CVSS 9.1 score reflects the combination of network attack vector, high impact on confidentiality, integrity, and availability, and scope change to the underlying system.
The official patch released in Cacti 1.2.27 addresses the vulnerability by adding proper validation and sanitization within the import logic. Security advisories, including the GitHub Security Advisory and distribution notices such as those from Fedora, recommend immediate upgrade to the fixed version and review of any imported packages.
The EPSS score has reached a peak of 0.8869 with a current value of 0.8819, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-22957
Vulnerability details
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web…
more
server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.