CVE-2025-24367
Published: 27 January 2025
Summary
CVE-2025-24367 is a high-severity Improper Neutralization of Line Delimiters (CWE-144) vulnerability in Cacti Cacti. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly prevents exploitation by applying the vendor patch in Cacti 1.2.29 that fixes the graph creation abuse leading to arbitrary PHP execution.
Least privilege restricts authenticated users from accessing graph and template creation functions unless explicitly required, blocking low-privilege exploitation.
Information input validation sanitizes graph creation and template inputs to prevent injection of arbitrary PHP scripts into the web root.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in Cacti web app allows authenticated users to create arbitrary PHP scripts in web root for RCE, directly enabling exploitation of public-facing application (T1190) to deploy web shell (T1100).
NVD Description
Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on…
more
the server. This vulnerability is fixed in 1.2.29.
Deeper analysisAI
CVE-2025-24367 affects Cacti, an open source performance and fault management framework. The vulnerability allows an authenticated Cacti user to abuse the graph creation and graph template functionality to create arbitrary PHP scripts in the application's web root, resulting in remote code execution on the server. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-144 and NVD-CWE-Other. The issue is fixed in Cacti version 1.2.29.
An attacker with authenticated access to a vulnerable Cacti instance, requiring low privileges, can exploit this flaw over the network with low complexity and no user interaction. Successful exploitation enables remote code execution, granting high confidentiality, integrity, and availability impacts, potentially allowing full server compromise.
Advisories recommend upgrading to Cacti 1.2.29, where the fix is implemented via a specific GitHub commit. The GitHub Security Advisory (GHSA-fxrq-fr7h-9rqq) details the issue and patch, while Debian LTS announcements address mitigation for affected distributions.
Details
- CWE(s)