Cyber Resilience

CVE-2024-29895

CriticalRCE

Published: 14 May 2024

Published
14 May 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9322 99.8th percentile
Risk Priority 76 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-29895 is a critical-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Cacti, an operational monitoring and fault management framework, contains a command injection vulnerability in its 1.3.x development branch. The flaw resides in cmd_realtime.php at line 119, where the $poller_id variable incorporated into a command string is taken directly from $_SERVER['argv']. This input can be supplied via the URL when the PHP register_argc_argv directive is enabled, a setting that is on by default in many environments including the official PHP Docker image.

Any unauthenticated remote attacker can therefore supply a crafted request that results in arbitrary command execution on the server with the privileges of the web server process. Successful exploitation yields full control over the monitored system, including the ability to read, modify, or delete data and to pivot further into the environment.

The GitHub Security Advisory GHSA-cr28-x256-xf5m and associated commits document the issue; commit 53e8014d1f082034e0646edc6286cde3800c683d introduced a fix that was later reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc, leaving the development branch exposed.

The vulnerability carries a CVSS score of 10.0 and an EPSS score that has reached 0.93, indicating substantial exploitation interest following disclosure.

EU & UK References

Vulnerability details

Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119,…

more

the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References