CVE-2025-24367
Published: 27 January 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-24367 affects Cacti, an open source performance and fault management framework. The vulnerability allows an authenticated Cacti user to abuse the graph creation and graph template functionality to create arbitrary PHP scripts in the application's web root, resulting in remote code execution on the server. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-144 and NVD-CWE-Other. The issue is fixed in Cacti version 1.2.29.
An attacker with authenticated access to a vulnerable Cacti instance, requiring low privileges, can exploit this flaw over the network with low complexity and no user interaction. Successful exploitation enables remote code execution, granting high confidentiality, integrity, and availability impacts, potentially allowing full server compromise.
Advisories recommend upgrading to Cacti 1.2.29, where the fix is implemented via a specific GitHub commit. The GitHub Security Advisory (GHSA-fxrq-fr7h-9rqq) details the issue and patch, while Debian LTS announcements address mitigation for affected distributions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in Cacti web app allows authenticated users to create arbitrary PHP scripts in web root for RCE, directly enabling exploitation of public-facing application (T1190) to deploy web shell (T1100).