CVE-2025-24367 Overview
CVE-2025-24367 is a critical Remote Code Execution (RCE) vulnerability affecting Cacti, an open source performance and fault management framework widely used for network monitoring and graphing. An authenticated Cacti user can abuse the graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server.
This vulnerability allows attackers with valid credentials to leverage the graph template system to write malicious PHP files directly into the web-accessible directory structure. Once these files are created, they can be accessed via HTTP requests, resulting in arbitrary code execution with the privileges of the web server process.
Critical Impact
Authenticated attackers can achieve full server compromise through arbitrary PHP file creation in the web root, enabling complete control over the Cacti server and potentially the broader network infrastructure it monitors.
Affected Products
- Cacti versions prior to 1.2.29
- All installations with authenticated user access
- Deployments allowing graph creation and template management
Discovery Timeline
- 2025-01-27 - CVE-2025-24367 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-24367
Vulnerability Analysis
This vulnerability exploits a fundamental weakness in how Cacti handles graph creation and template functionality. The application fails to properly validate or sanitize file paths and content when users interact with the graph template system, allowing authenticated users to craft requests that result in arbitrary PHP files being written to the web root directory.
The attack requires only basic authenticated access to the Cacti application—any user with permissions to create or modify graphs can potentially exploit this flaw. Once a malicious PHP file is placed in the web root, the attacker can execute arbitrary commands on the underlying server by simply accessing the newly created file through a web browser or automated HTTP request.
The root cause lies in improper neutralization of special elements in output used by a downstream component (CWE-144), combined with insufficient access controls on file creation operations within the graph templating engine.
Root Cause
The vulnerability stems from improper input validation and neutralization (CWE-144) in the graph creation and template handling code. Cacti fails to adequately restrict the paths where files can be created and does not properly sanitize user-controlled input that influences file content. This allows attackers to bypass intended restrictions and write executable PHP code to web-accessible locations.
The graph template functionality appears to construct file paths using user-supplied data without sufficient validation, enabling path manipulation that results in files being created outside of intended directories or with unintended content.
Attack Vector
The attack is network-based and requires authenticated access to the Cacti web interface. An attacker with valid credentials can:
- Navigate to graph creation or template management functionality
- Craft a malicious request that abuses the file creation mechanism
- Create a PHP file containing arbitrary code in the web root
- Access the malicious file via HTTP to execute commands
The security patch in version 1.2.29 addresses this vulnerability along with several other security issues:
Cacti CHANGELOG
-1.2.x
+1.2.29
+-security#GHSA-pv2c-97pp-vxwg: Local File Inclusion (LFI) Vulnerability via Poller Standard Error Log Path
+-security#GHSA-f9c7-7rc3-574c: SQL Injection vulnerability when using tree rules through Automation API
+-security#GHSA-vj9g-P7F2-4wqj: SQL Injection vulnerability when view host template
+-security#GHSA-fh3x-69rr-qqpp: SQL Injection vulnerability when request automation devices
+-security#GHSA-c5j8-jxj3-hh36: Authenticated RCE via multi-line SNMP responses
+-security#GHSA-fxrq-fr7h-9rqq: Arbitrary File Creation leading to RCE
-issue#5843: Issue with temporary tables with use of microtime
-issue#5847: Presets Time in Cacti 1.2.28 Not Automatically Updating...
-issue#5848: RRDfile Auto Clean not working
Source: GitHub Cacti Commit
Detection Methods for CVE-2025-24367
Indicators of Compromise
- Unexpected PHP files appearing in the Cacti web root directory or subdirectories
- Web server logs showing access to unusual PHP files not part of standard Cacti installation
- File system audit logs indicating PHP file creation by the web server process
- Unusual process spawning from the web server (e.g., www-data or apache user executing shell commands)
Detection Strategies
- Monitor file system changes in the Cacti web root directory for new .php files
- Implement web application firewall (WAF) rules to detect suspicious graph template manipulation requests
- Enable file integrity monitoring (FIM) on the Cacti installation directory
- Review web server access logs for requests to non-standard PHP endpoints
- Configure intrusion detection systems to alert on PHP file creation events
Monitoring Recommendations
- Deploy endpoint detection and response (EDR) solutions to monitor web server process behavior
- Enable comprehensive logging for the Cacti application and underlying web server
- Set up alerts for any new file creation in web-accessible directories
- Monitor for unusual network connections originating from the Cacti server
- Implement user activity logging to track graph creation and template modification operations
How to Mitigate CVE-2025-24367
Immediate Actions Required
- Upgrade Cacti to version 1.2.29 or later immediately
- Audit existing user accounts and revoke unnecessary graph creation permissions
- Review the Cacti web root for any unexpected or suspicious PHP files
- Implement network segmentation to limit the blast radius if compromise occurs
- Enable additional authentication factors for Cacti administrative access
Patch Information
Cacti has addressed this vulnerability in version 1.2.29. The fix is available through the official GitHub Cacti Commit. Additionally, Debian has released security updates as documented in the Debian LTS Announcement.
Organizations should prioritize this update given the high severity and the potential for authenticated users to achieve full server compromise. The GitHub Security Advisory provides additional technical details about the vulnerability.
Workarounds
- Restrict access to graph creation and template management functionality to only essential trusted users
- Implement strict file system permissions preventing the web server from creating files in the web root
- Deploy a web application firewall with rules to block suspicious requests to graph-related endpoints
- Place Cacti behind a VPN or restrict network access to trusted IP ranges only
- Enable read-only file system mounts for web-accessible directories where feasible
# Example: Restrict file creation permissions on Cacti web root
# Note: This may affect legitimate functionality - test in non-production first
chmod -R o-w /var/www/html/cacti/
chown -R root:www-data /var/www/html/cacti/
# Monitor for new PHP files in web root
find /var/www/html/cacti -name "*.php" -mtime -1 -ls
# Review Cacti user permissions in database
mysql -u cacti_user -p cacti -e "SELECT username, realm FROM user_auth WHERE graph_perms > 0;"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
