CVE-2025-24368

HighPublic PoC

Published: 27 January 2025

Published

27 January 2025

Modified

03 November 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0011 29.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24368 is a high-severity SQL Injection (CWE-89) vulnerability in Cacti Cacti. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mandates thorough input validation at points like automation_tree_rules.php data before SQL concatenation in build_rule_item_filter(), preventing SQL injection exploitation.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific SQL injection flaw through patching to Cacti 1.2.29, eliminating the vulnerable code path.

SC-7 Boundary Protection partial match

prevent

Boundary protection via web application firewalls monitors and blocks malicious SQL payloads targeting the remote unauthenticated vulnerable endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

SQL injection enables arbitrary SQL execution for database modification and collection (T1213.006), local file reads (T1005), exploitation of the public-facing web app (T1190), and RCE via file writes such as web shells (T1505.003).

NVD Description

Cacti is an open source performance and fault management framework. Some of the data stored in automation_tree_rules.php is not thoroughly checked and is used to concatenate the SQL statement in build_rule_item_filter() function from lib/api_automation.php, resulting in SQL injection. This vulnerability…

is fixed in 1.2.29.

Deeper analysisAI

CVE-2025-24368 is a SQL injection vulnerability in Cacti, an open-source performance and fault management framework. The issue arises because data stored in automation_tree_rules.php is not thoroughly validated before being concatenated into SQL statements by the build_rule_item_filter() function in lib/api_automation.php. It affects Cacti versions prior to 1.2.29 and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), mapped to CWE-89.

Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation allows attackers to inject malicious SQL payloads, enabling high-impact integrity violations such as unauthorized data modification in the database.

The vulnerability is fixed in Cacti version 1.2.29, as detailed in the GitHub commit c7e4ee798d263a3209ae6e7ba182c7b65284d8f0 and GHSA advisory GHSA-f9c7-7rc3-574c. Debian LTS users are advised to update affected packages per the announcement at lists.debian.org/debian-lts-announce/2025/02/msg00010.html. Security practitioners should apply the patch promptly and review access to automation features.