Cyber Resilience

CVE-2024-54146

HighPublic PoC

Published: 27 January 2025

Published
27 January 2025
Modified
04 March 2025
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.1133 93.7th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-54146 is a high-severity SQL Injection (CWE-89) vulnerability in Cacti Cacti. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Cacti, an open source performance and fault management framework, contains a SQL injection vulnerability in the template function of host_templates.php that accepts the graph_template parameter. Tracked as CVE-2024-54146 and assigned CWE-89, the flaw carries a CVSS 3.1 score of 7.6 and was resolved in release 1.2.29.

An authenticated attacker with low privileges can supply a crafted graph_template value over the network to execute arbitrary SQL statements, resulting in limited disclosure or modification of data and high impact to availability.

The official fix is delivered in Cacti 1.2.29, as documented in the GitHub security advisory GHSA-vj9g-p7f2-4wqj and the associated commit that updates the vulnerable template handling code. The EPSS score has remained flat at 0.1133 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

Cacti is an open source performance and fault management framework. Cacti has a SQL injection vulnerability in the template function of host_templates.php using the graph_template parameter. This vulnerability is fixed in 1.2.29.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection flaw in web application (host_templates.php) directly enables remote exploitation of a publicly accessible management interface.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-26520Same product: Cacti Cacti
CVE-2024-54145Same product: Cacti Cacti
CVE-2025-24368Same product: Cacti Cacti
CVE-2025-22604Same product: Cacti Cacti
CVE-2025-24367Same product: Cacti Cacti
CVE-2005-10004Same product: Cacti Cacti
CVE-2025-66399Same product: Cacti Cacti
CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89

Affected Assets

cacti
cacti
≤ 1.2.29

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2024-54146 by requiring timely patching of the SQL injection flaw in Cacti to version 1.2.29.

prevent

Prevents exploitation of the SQL injection vulnerability by enforcing validation and sanitization of the unsanitized graph_template parameter in host_templates.php.

detect

Identifies the SQL injection vulnerability through vulnerability scanning, enabling proactive remediation before exploitation.

References