CVE-2025-24367

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.29 Cacti versions 1.2.16+ds1-2+deb11u5 through 1.2.24+ds1-1+deb12u5

Description Cacti is an open source performance and fault management framework. An authenticated user can misuse the graph creation and graph template functionality to create arbitrary PHP scripts within the web root directory of the application, potentially leading to remote code execution on the server. The issue stems from improper handling of line separators.

Recommendations Upgrade Cacti to version 1.2.29 or later. Upgrade Cacti to version 1.2.16+ds1-2+deb11u5 or later for Debian 11 bullseye. Upgrade Cacti to version 1.2.24+ds1-1+deb12u5 or later for Debian bookworm.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-144CWE-20

Related Identifiers

BDU:2025-00974

CVE-2025-24367

DLA-4048-1

DSA-5862-1

GHSA-FXRQ-FR7H-9RQQ

Affected Products

Cacti

CVE-2025-24367

Weakness Enumeration

Related Identifiers

Affected Products

References · 27