CVE-2025-24368
Published: 27 January 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-24368 is a SQL injection vulnerability in Cacti, an open-source performance and fault management framework. The issue arises because data stored in automation_tree_rules.php is not thoroughly validated before being concatenated into SQL statements by the build_rule_item_filter() function in lib/api_automation.php. It affects Cacti versions prior to 1.2.29 and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), mapped to CWE-89.
Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation allows attackers to inject malicious SQL payloads, enabling high-impact integrity violations such as unauthorized data modification in the database.
The vulnerability is fixed in Cacti version 1.2.29, as detailed in the GitHub commit c7e4ee798d263a3209ae6e7ba182c7b65284d8f0 and GHSA advisory GHSA-f9c7-7rc3-574c. Debian LTS users are advised to update affected packages per the announcement at lists.debian.org/debian-lts-announce/2025/02/msg00010.html. Security practitioners should apply the patch promptly and review access to automation features.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection enables arbitrary SQL execution for database modification and collection (T1213.006), local file reads (T1005), exploitation of the public-facing web app (T1190), and RCE via file writes such as web shells (T1505.003).