CVE-2025-24367
Published: 27 January 2025
Summary
CVE-2025-24367 is a high-severity Improper Neutralization of Line Delimiters (CWE-144) vulnerability in Cacti Cacti. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
Cacti, an open source performance and fault management framework, contains a vulnerability that allows an authenticated user to abuse graph creation and graph template functionality. By exploiting flaws tracked under CWE-144, the attacker can write arbitrary PHP scripts into the application's web root directory, resulting in remote code execution on the server. The issue affects versions prior to the 1.2.29 release published on 27 January 2025 and carries a CVSS 4.0 score of 8.7.
An authenticated Cacti user with graph management privileges can supply crafted input during graph or template operations to place executable PHP files on the server. Once written, these scripts can be invoked over the network to execute arbitrary commands with the privileges of the web server process, giving the attacker full control over the underlying host without requiring additional authentication or user interaction.
The official fix is included in Cacti 1.2.29, as referenced in the project's GitHub commit and the accompanying GitHub Security Advisory GHSA-fxrq-fr7h-9rqq. Downstream distributions such as Debian have issued corresponding updates through their long-term support channels to backport the correction.
The CVE maintains a high EPSS score with a current value of 0.8793 and a recorded peak of 0.9056, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3681
Vulnerability details
Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on…
more
the server. This vulnerability is fixed in 1.2.29.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in Cacti web app allows authenticated users to create arbitrary PHP scripts in web root for RCE, directly enabling exploitation of public-facing application (T1190) to deploy web shell (T1100).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly prevents exploitation by applying the vendor patch in Cacti 1.2.29 that fixes the graph creation abuse leading to arbitrary PHP execution.
Least privilege restricts authenticated users from accessing graph and template creation functions unless explicitly required, blocking low-privilege exploitation.
Information input validation sanitizes graph creation and template inputs to prevent injection of arbitrary PHP scripts into the web root.