CVE-2025-26520: Cacti SQL Injection Vulnerability

CVE-2025-26520 Overview

CVE-2025-26520 is a SQL injection vulnerability affecting Cacti, the popular open-source network monitoring and graphing solution. This vulnerability exists in the template function within host_templates.php and can be exploited through the graph_template parameter. Notably, this issue arose due to an incomplete fix for a previously addressed vulnerability (CVE-2024-54146).

Critical Impact
This SQL injection vulnerability allows unauthenticated remote attackers to execute arbitrary SQL commands against the Cacti database, potentially leading to complete database compromise, data exfiltration, unauthorized data modification, and further system access.

Affected Products

Cacti through version 1.2.29
All Cacti installations using vulnerable host_templates.php functionality
Environments with the host templates graph_template filtering feature enabled

Discovery Timeline

2025-02-12 - CVE-2025-26520 published to NVD
2025-03-03 - Last updated in NVD database

Technical Details for CVE-2025-26520

Vulnerability Analysis

This SQL injection vulnerability exists in the template function of host_templates.php. The root cause is the improper handling of the graph_template parameter when constructing SQL queries. The vulnerable code uses get_request_var() to retrieve user-supplied input and directly concatenates it into the SQL WHERE clause without proper sanitization or parameterization.

The issue is particularly noteworthy because it represents an incomplete remediation of CVE-2024-54146. While the original vulnerability was addressed, this specific code path was missed or improperly fixed, allowing attackers to still inject malicious SQL commands through the graph_template parameter.

Root Cause

The vulnerability stems from insufficient input validation when handling the graph_template request variable. The code retrieves the parameter using get_request_var('graph_template') which does not perform proper sanitization for SQL queries. This value is then directly concatenated into a SQL WHERE clause as (gt_id = ' . get_request_var('graph_template') . ')', creating a classic SQL injection vector.

The fix requires using get_filter_request_var() instead, which applies appropriate input filtering and sanitization before the value is used in database operations.

Attack Vector

An attacker can exploit this vulnerability by sending a crafted HTTP request to the Cacti web interface with a malicious graph_template parameter value. Since this is a network-accessible vulnerability requiring no authentication or user interaction, exploitation can be performed remotely. The attacker could inject arbitrary SQL statements to:

Extract sensitive data from the database including user credentials
Modify or delete database records
Potentially achieve code execution through database-specific features
Escalate privileges within the Cacti application

php

// Vulnerable code - uses unsanitized get_request_var()
if (get_request_var('graph_template') != '-1') {
	$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . '(gt_id = ' . get_request_var('graph_template') . ')';
	$sql_join   = "INNER JOIN (
		SELECT DISTINCT host_template_id, id AS gt_id
		FROM (";

// Fixed code - uses sanitized get_filter_request_var()
if (get_request_var('graph_template') != '-1') {
	$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . '(gt_id = ' . get_filter_request_var('graph_template') . ')';
	$sql_join   = "INNER JOIN (
		SELECT DISTINCT host_template_id, id AS gt_id
		FROM (";

Source: GitHub Cacti Commit

Detection Methods for CVE-2025-26520

Indicators of Compromise

Unusual SQL error messages or database exceptions in Cacti application logs
HTTP requests to host_templates.php with anomalous graph_template parameter values containing SQL syntax (e.g., quotes, UNION, SELECT keywords)
Unexpected database queries or access patterns in database audit logs
Evidence of data exfiltration or unauthorized database modifications

Detection Strategies

Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in the graph_template parameter
Monitor HTTP access logs for requests to host_templates.php containing SQL metacharacters or keywords
Deploy database activity monitoring to detect anomalous query patterns originating from the Cacti application
Configure intrusion detection systems (IDS) with signatures for SQL injection attempts targeting Cacti endpoints

Monitoring Recommendations

Enable detailed logging for the Cacti application and web server access logs
Implement real-time alerting for SQL injection pattern matches in request parameters
Monitor database query logs for unusual or unauthorized SELECT, UNION, or data extraction operations
Review authentication and authorization logs for signs of privilege escalation following potential exploitation

How to Mitigate CVE-2025-26520

Immediate Actions Required

Update Cacti to a version containing the security fix (commit 7fa60c03ad4a69c701ac6b77c85a8927df7acd51 or later)
If immediate patching is not possible, restrict network access to the Cacti web interface to trusted IP addresses only
Deploy WAF rules to block SQL injection attempts targeting the graph_template parameter
Review database and application logs for signs of prior exploitation

Patch Information

The vulnerability has been addressed by the Cacti development team. The fix replaces the vulnerable get_request_var() function call with get_filter_request_var(), which properly sanitizes the graph_template parameter before use in SQL queries.

Organizations should apply the patch available in GitHub Pull Request #6096 or update to a Cacti version that incorporates commit 7fa60c03ad4a69c701ac6b77c85a8927df7acd51.

Workarounds

Implement network-level access controls to restrict access to Cacti from trusted networks only
Deploy a Web Application Firewall with SQL injection detection capabilities in front of the Cacti application
Disable or restrict access to the host templates functionality if not required for operations
Apply the principle of least privilege to the database user account used by Cacti

bash

# Example: Restrict access to Cacti using Apache configuration
<Directory "/var/www/html/cacti">
    # Allow only trusted internal networks
    Require ip 10.0.0.0/8
    Require ip 192.168.0.0/16
    # Deny all other access
    Require all denied
</Directory>

CVE-2025-26520 Overview

Critical Impact
This SQL injection vulnerability allows unauthenticated remote attackers to execute arbitrary SQL commands against the Cacti database, potentially leading to complete database compromise, data exfiltration, unauthorized data modification, and further system access.

Affected Products

Cacti through version 1.2.29
All Cacti installations using vulnerable host_templates.php functionality
Environments with the host templates graph_template filtering feature enabled

Discovery Timeline

2025-02-12 - CVE-2025-26520 published to NVD
2025-03-03 - Last updated in NVD database

Technical Details for CVE-2025-26520

Vulnerability Analysis

Root Cause

The fix requires using get_filter_request_var() instead, which applies appropriate input filtering and sanitization before the value is used in database operations.

Attack Vector

Extract sensitive data from the database including user credentials
Modify or delete database records
Potentially achieve code execution through database-specific features
Escalate privileges within the Cacti application

php

// Vulnerable code - uses unsanitized get_request_var()
if (get_request_var('graph_template') != '-1') {
	$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . '(gt_id = ' . get_request_var('graph_template') . ')';
	$sql_join   = "INNER JOIN (
		SELECT DISTINCT host_template_id, id AS gt_id
		FROM (";

// Fixed code - uses sanitized get_filter_request_var()
if (get_request_var('graph_template') != '-1') {
	$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . '(gt_id = ' . get_filter_request_var('graph_template') . ')';
	$sql_join   = "INNER JOIN (
		SELECT DISTINCT host_template_id, id AS gt_id
		FROM (";

Source: GitHub Cacti Commit

Detection Methods for CVE-2025-26520

Indicators of Compromise

Unusual SQL error messages or database exceptions in Cacti application logs
HTTP requests to host_templates.php with anomalous graph_template parameter values containing SQL syntax (e.g., quotes, UNION, SELECT keywords)
Unexpected database queries or access patterns in database audit logs
Evidence of data exfiltration or unauthorized database modifications

Detection Strategies

Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in the graph_template parameter
Monitor HTTP access logs for requests to host_templates.php containing SQL metacharacters or keywords
Deploy database activity monitoring to detect anomalous query patterns originating from the Cacti application
Configure intrusion detection systems (IDS) with signatures for SQL injection attempts targeting Cacti endpoints

Monitoring Recommendations

Enable detailed logging for the Cacti application and web server access logs
Implement real-time alerting for SQL injection pattern matches in request parameters
Monitor database query logs for unusual or unauthorized SELECT, UNION, or data extraction operations
Review authentication and authorization logs for signs of privilege escalation following potential exploitation

How to Mitigate CVE-2025-26520

Immediate Actions Required

Update Cacti to a version containing the security fix (commit 7fa60c03ad4a69c701ac6b77c85a8927df7acd51 or later)
If immediate patching is not possible, restrict network access to the Cacti web interface to trusted IP addresses only
Deploy WAF rules to block SQL injection attempts targeting the graph_template parameter
Review database and application logs for signs of prior exploitation

Patch Information

Organizations should apply the patch available in GitHub Pull Request #6096 or update to a Cacti version that incorporates commit 7fa60c03ad4a69c701ac6b77c85a8927df7acd51.

Workarounds

Implement network-level access controls to restrict access to Cacti from trusted networks only
Deploy a Web Application Firewall with SQL injection detection capabilities in front of the Cacti application
Disable or restrict access to the host templates functionality if not required for operations
Apply the principle of least privilege to the database user account used by Cacti

bash

# Example: Restrict access to Cacti using Apache configuration
<Directory "/var/www/html/cacti">
    # Allow only trusted internal networks
    Require ip 10.0.0.0/8
    Require ip 192.168.0.0/16
    # Deny all other access
    Require all denied
</Directory>

CVE-2025-26520: Cacti SQL Injection Vulnerability

CVE-2025-26520 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-26520

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-26520

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-26520

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-26520: Cacti SQL Injection Vulnerability

CVE-2025-26520 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-26520

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-26520

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-26520

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform