CVE-2024-54145

CVE-2024-54145 is a SQL injection vulnerability (CWE-89) in Cacti, an open source performance and fault management framework. The flaw exists in the get_discovery_results function within automation_devices.php, where the network parameter is not properly sanitized, allowing injection of malicious SQL queries. Published on 2025-01-27, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was fixed in Cacti version 1.2.29.

An attacker requires low privileges, such as those of an authenticated user, to exploit this over the network with low complexity and no user interaction. Successful exploitation enables limited impacts: partial disclosure of sensitive data (low confidentiality), modification of underlying data (low integrity), and limited denial of service (low availability) through arbitrary SQL execution.

Mitigation is available via upgrade to Cacti 1.2.29, as detailed in the fixing commit at https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0 and the GitHub Security Advisory GHSA-fh3x-69rr-qqpp at https://github.com/Cacti/cacti/security/advisories/GHSA-fh3x-69rr-qqpp. Debian LTS users should refer to the announcement at https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html for package-specific patches and guidance.