CVE-2025-24368 Overview
CVE-2025-24368 is a SQL Injection vulnerability affecting Cacti, an open source performance and fault management framework. The vulnerability exists in the automation_tree_rules.php file where user-supplied data is not thoroughly validated before being used to construct SQL statements in the build_rule_item_filter() function within lib/api_automation.php. This insufficient input sanitization allows attackers to inject malicious SQL code through crafted input, potentially enabling unauthorized database access.
Critical Impact
Attackers can exploit this SQL injection flaw to read, modify, or delete sensitive data from the Cacti database, potentially compromising monitoring infrastructure integrity and confidentiality.
Affected Products
- Cacti versions prior to 1.2.29
Discovery Timeline
- 2025-01-27 - CVE-2025-24368 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-24368
Vulnerability Analysis
This SQL Injection vulnerability arises from improper input validation in Cacti's automation tree rules functionality. When users interact with the automation tree rules configuration interface via automation_tree_rules.php, certain input parameters are passed to the build_rule_item_filter() function in lib/api_automation.php. The function fails to properly sanitize or parameterize these inputs before incorporating them into dynamic SQL queries.
The vulnerability allows unauthenticated or authenticated attackers (depending on system configuration) to manipulate SQL queries by injecting specially crafted payloads through the affected parameters. Successful exploitation could lead to extraction of sensitive information including user credentials, configuration data, and monitoring statistics stored in the Cacti database.
Root Cause
The root cause is insufficient input validation and lack of parameterized queries in the build_rule_item_filter() function. User-controlled data from automation_tree_rules.php is directly concatenated into SQL statements without proper escaping or the use of prepared statements, creating a classic SQL injection attack surface (CWE-89).
Attack Vector
The attack is network-based and can be executed remotely by sending malicious HTTP requests to the vulnerable endpoint. An attacker can craft requests containing SQL injection payloads that will be processed by the build_rule_item_filter() function. The injected SQL code executes within the context of the database user configured for Cacti, potentially allowing:
- Extraction of database contents (data exfiltration)
- Modification or deletion of monitoring data
- Potential privilege escalation within the application
- Lateral movement if database credentials provide access to other systems
The vulnerability does not require special conditions or user interaction beyond the attacker having network access to the Cacti web interface.
Detection Methods for CVE-2025-24368
Indicators of Compromise
- Unusual or malformed HTTP requests to /automation_tree_rules.php containing SQL syntax patterns
- Database query logs showing anomalous or extended query execution times
- Unexpected error messages in Cacti logs referencing SQL syntax errors
- Signs of data exfiltration or unauthorized database queries in audit logs
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect SQL injection patterns in requests to Cacti endpoints
- Monitor HTTP access logs for suspicious parameters containing SQL keywords like UNION, SELECT, DROP, or comment sequences (--, /*)
- Implement database activity monitoring to detect unusual query patterns or unauthorized data access
- Review Cacti application logs for error messages indicating SQL injection attempts
Monitoring Recommendations
- Enable detailed logging on the Cacti web server and database to capture potential attack attempts
- Configure alerting for repeated failed SQL queries or syntax errors originating from web requests
- Monitor network traffic to and from the Cacti server for unusual patterns or data volumes
How to Mitigate CVE-2025-24368
Immediate Actions Required
- Upgrade Cacti to version 1.2.29 or later immediately
- Restrict network access to the Cacti web interface to trusted IP addresses only
- Review database and application logs for signs of prior exploitation
- Implement WAF rules to filter SQL injection attempts as a temporary defense layer
Patch Information
The vulnerability has been addressed in Cacti version 1.2.29. The fix is available in the GitHub commit c7e4ee798d263a3209ae6e7ba182c7b65284d8f0. Administrators should upgrade to the patched version as soon as possible. Additional details are available in the GitHub Security Advisory GHSA-f9c7-7rc3-574c. Debian users should refer to the Debian LTS Announcement for distribution-specific patching guidance.
Workarounds
- Implement strict input validation at the web server or WAF level to block SQL injection patterns
- Restrict access to the Cacti administrative interface using IP allowlisting or VPN requirements
- Disable or restrict access to automation tree rules functionality if not actively needed
- Deploy database-level query monitoring and rate limiting as a defense-in-depth measure
# Example: Restrict Cacti access to trusted networks using iptables
iptables -A INPUT -p tcp --dport 80 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
