Cyber Resilience

CVE-2025-24367

HighPublic PoC

Published: 27 January 2025

Published
27 January 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.8793 99.5th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24367 is a high-severity Improper Neutralization of Line Delimiters (CWE-144) vulnerability in Cacti Cacti. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

Cacti, an open source performance and fault management framework, contains a vulnerability that allows an authenticated user to abuse graph creation and graph template functionality. By exploiting flaws tracked under CWE-144, the attacker can write arbitrary PHP scripts into the application's web root directory, resulting in remote code execution on the server. The issue affects versions prior to the 1.2.29 release published on 27 January 2025 and carries a CVSS 4.0 score of 8.7.

An authenticated Cacti user with graph management privileges can supply crafted input during graph or template operations to place executable PHP files on the server. Once written, these scripts can be invoked over the network to execute arbitrary commands with the privileges of the web server process, giving the attacker full control over the underlying host without requiring additional authentication or user interaction.

The official fix is included in Cacti 1.2.29, as referenced in the project's GitHub commit and the accompanying GitHub Security Advisory GHSA-fxrq-fr7h-9rqq. Downstream distributions such as Debian have issued corresponding updates through their long-term support channels to backport the correction.

The CVE maintains a high EPSS score with a current value of 0.8793 and a recorded peak of 0.9056, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on…

more

the server. This vulnerability is fixed in 1.2.29.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Vulnerability in Cacti web app allows authenticated users to create arbitrary PHP scripts in web root for RCE, directly enabling exploitation of public-facing application (T1190) to deploy web shell (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-54146Same product: Cacti Cacti
CVE-2025-26520Same product: Cacti Cacti
CVE-2025-24368Same product: Cacti Cacti
CVE-2025-22604Same product: Cacti Cacti
CVE-2024-54145Same product: Cacti Cacti
CVE-2025-66399Same product: Cacti Cacti
CVE-2005-10004Same product: Cacti Cacti

Affected Assets

cacti
cacti
≤ 1.2.29

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly prevents exploitation by applying the vendor patch in Cacti 1.2.29 that fixes the graph creation abuse leading to arbitrary PHP execution.

prevent

Least privilege restricts authenticated users from accessing graph and template creation functions unless explicitly required, blocking low-privilege exploitation.

prevent

Information input validation sanitizes graph creation and template inputs to prevent injection of arbitrary PHP scripts into the web root.

References