CVE-2025-26520
Published: 12 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26520 is a SQL injection vulnerability (CWE-89) affecting Cacti versions through 1.2.29. The flaw resides in the template function within host_templates.php, where the graph_template parameter is insufficiently sanitized, allowing malicious SQL payloads. This issue stems from an incomplete fix for the prior CVE-2024-54146 and carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H).
The vulnerability can be exploited remotely by an authenticated attacker with low privileges, requiring no user interaction. Successful exploitation enables limited confidentiality and integrity impacts, such as reading or modifying minor data, alongside high availability disruption, potentially leading to denial-of-service conditions through database manipulation.
Mitigation is addressed in Cacti commit 7fa60c03ad4a69c701ac6b77c85a8927df7acd51 and pull request #6096 on the project's GitHub repository. Security practitioners should apply this patch or upgrade to a version incorporating the fix to prevent exploitation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The remote SQL injection in the Cacti web application directly enables exploitation of a public-facing application by authenticated low-privilege attackers.