CVE-2024-25641 Overview
CVE-2024-25641 is an arbitrary file write vulnerability affecting Cacti, a popular open-source operational monitoring and fault management framework. The vulnerability exists in the "Package Import" feature and allows authenticated users with the "Import Templates" permission to write arbitrary files to the web server, ultimately enabling remote code execution through malicious PHP file uploads.
The flaw resides within the import_package() function in /lib/import.php, which fails to properly validate filename and file content provided within XML data during the package import process. This allows attackers to write or overwrite arbitrary files on the web server, including executable PHP scripts.
Critical Impact
Authenticated attackers can achieve remote code execution by exploiting the arbitrary file write vulnerability in Cacti's Package Import feature, potentially leading to complete server compromise.
Affected Products
- Cacti versions prior to 1.2.27
- Fedora 39 (affected through Cacti package)
Discovery Timeline
- 2024-05-14 - CVE-2024-25641 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2024-25641
Vulnerability Analysis
This vulnerability represents a critical security flaw in Cacti's package import functionality. The import_package() function in /lib/import.php processes XML data containing filenames and file content without proper validation. The function blindly trusts user-supplied data within the XML structure and writes files directly to the Cacti installation directory.
The vulnerability is particularly severe because path traversal sequences are not filtered from the filename parameter, allowing attackers to write files outside the intended directory structure. Combined with the ability to control file content, this enables an attacker to place malicious PHP scripts anywhere on the web server's filesystem where the web server process has write permissions.
Root Cause
The root cause of CVE-2024-25641 is improper input validation in the import_package() function. The function accepts XML data during package imports but does not sanitize or validate the filename paths or file content before writing to disk. Specifically:
- No validation of filename characters or path components
- No filtering of path traversal sequences (e.g., ../)
- No content type or file extension restrictions
- Blind trust in user-controlled XML data structure
This allows malicious actors to craft XML payloads containing arbitrary filenames with path traversal sequences and malicious PHP code as file content.
Attack Vector
The attack requires authenticated access to Cacti with "Import Templates" permissions. An attacker can exploit this vulnerability by:
- Crafting a malicious XML package containing a PHP web shell or other malicious code
- Including path traversal sequences in the filename to target specific locations
- Importing the package through the Package Import feature
- Accessing the written PHP file through the web server to execute arbitrary commands
The vulnerability is exploitable remotely over the network and requires no user interaction beyond the initial authentication. The attacker's crafted XML payload would include a filename with path traversal sequences pointing to a web-accessible directory and PHP code designed to provide command execution capabilities.
For detailed technical information about the exploitation mechanism, refer to the GitHub Security Advisory GHSA-7cmj-g5qc-pj88 and the Full Disclosure posting.
Detection Methods for CVE-2024-25641
Indicators of Compromise
- Unexpected PHP files appearing in the Cacti web root or other web-accessible directories
- Suspicious files with unusual names or in unexpected locations within the Cacti installation
- Web server logs showing POST requests to the Package Import functionality followed by requests to newly created PHP files
- File system changes in Cacti directories that don't correspond to legitimate template imports
Detection Strategies
- Monitor file integrity of the Cacti installation directory using tools like AIDE or Tripwire to detect unauthorized file creation or modification
- Implement web application firewall (WAF) rules to inspect XML payloads for path traversal sequences
- Review Cacti audit logs for template import operations performed by users with elevated permissions
- Deploy endpoint detection to identify web shells or suspicious PHP file execution patterns
Monitoring Recommendations
- Enable verbose logging for all Package Import operations in Cacti
- Configure alerts for file creation events within the web server document root
- Monitor for outbound connections from the web server that may indicate web shell activity
- Track user accounts with "Import Templates" permission and audit their activities regularly
How to Mitigate CVE-2024-25641
Immediate Actions Required
- Upgrade Cacti to version 1.2.27 or later immediately
- Review and restrict the "Import Templates" permission to only trusted administrators
- Audit existing user accounts and remove unnecessary elevated permissions
- Scan the Cacti installation for any unauthorized or suspicious PHP files
Patch Information
Cacti version 1.2.27 addresses this vulnerability by implementing proper input validation in the import_package() function. The fix includes validation of filenames to prevent path traversal attacks and proper sanitization of file content.
The security patch is available through the official Cacti GitHub repository. Linux distribution users should apply updates through their respective package managers:
- Fedora users: Apply the update referenced in the Fedora Package Announcement
- Debian users: Refer to the Debian LTS Announcement for patched package versions
Workarounds
- Disable the Package Import feature entirely if not required for operations
- Implement strict file system permissions to prevent the web server from writing to directories outside the intended upload locations
- Deploy a web application firewall (WAF) to filter requests containing path traversal patterns
- Consider network segmentation to isolate Cacti instances from critical infrastructure
# Restrict write permissions on Cacti directories
chmod -R 755 /var/www/html/cacti/
chown -R root:www-data /var/www/html/cacti/
# Set specific directories writable only where necessary
chmod 775 /var/www/html/cacti/cache/
chmod 775 /var/www/html/cacti/resource/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
