CVE-2024-54146
Published: 27 January 2025
Summary
CVE-2024-54146 is a high-severity SQL Injection (CWE-89) vulnerability in Cacti Cacti. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Cacti, an open source performance and fault management framework, contains a SQL injection vulnerability in the template function of host_templates.php that accepts the graph_template parameter. Tracked as CVE-2024-54146 and assigned CWE-89, the flaw carries a CVSS 3.1 score of 7.6 and was resolved in release 1.2.29.
An authenticated attacker with low privileges can supply a crafted graph_template value over the network to execute arbitrary SQL statements, resulting in limited disclosure or modification of data and high impact to availability.
The official fix is delivered in Cacti 1.2.29, as documented in the GitHub security advisory GHSA-vj9g-p7f2-4wqj and the associated commit that updates the vulnerable template handling code. The EPSS score has remained flat at 0.1133 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-52314
Vulnerability details
Cacti is an open source performance and fault management framework. Cacti has a SQL injection vulnerability in the template function of host_templates.php using the graph_template parameter. This vulnerability is fixed in 1.2.29.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection flaw in web application (host_templates.php) directly enables remote exploitation of a publicly accessible management interface.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2024-54146 by requiring timely patching of the SQL injection flaw in Cacti to version 1.2.29.
Prevents exploitation of the SQL injection vulnerability by enforcing validation and sanitization of the unsanitized graph_template parameter in host_templates.php.
Identifies the SQL injection vulnerability through vulnerability scanning, enabling proactive remediation before exploitation.