Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-85gc-u991-z3dw
Vulnerability ID VCID-85gc-u991-z3dw
Aliases CVE-2024-25641
Summary Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.
Status Published
Exploitability 2.0
Weighted Severity 8.2
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-20 Improper Input Validation
System Score Found at
epss 0.88383 https://api.first.org/data/v1/epss?cve=CVE-2024-25641
epss 0.88383 https://api.first.org/data/v1/epss?cve=CVE-2024-25641
epss 0.88383 https://api.first.org/data/v1/epss?cve=CVE-2024-25641
epss 0.88383 https://api.first.org/data/v1/epss?cve=CVE-2024-25641
epss 0.88383 https://api.first.org/data/v1/epss?cve=CVE-2024-25641
epss 0.88383 https://api.first.org/data/v1/epss?cve=CVE-2024-25641
cvssv3.1 9.1 http://seclists.org/fulldisclosure/2024/May/6
ssvc Track* http://seclists.org/fulldisclosure/2024/May/6
cvssv3.1 9.1 https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210
ssvc Track* https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210
cvssv3.1 9.1 https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88
ssvc Track* https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88
cvssv3.1 9.1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
ssvc Track* https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-25641
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25641
6 http://seclists.org/fulldisclosure/2024/May/6
CVE-2024-25641 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/52225.txt
eff35b0ff26cc27c82d7880469ed6d5e3bef6210 https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210
GHSA-7cmj-g5qc-pj88 https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88
RBEOAFKRARQHTDIYSL723XAFJ2Q6624X https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
USN-6969-1 https://usn.ubuntu.com/6969-1/
Data source Exploit-DB
Date added April 15, 2025
Description Cacti 1.2.26 - Remote Code Execution (RCE) (Authenticated)
Ransomware campaign use Unknown
Source publication date April 15, 2025
Exploit type webapps
Platform php
Source update date April 15, 2025
Data source Metasploit
Description This exploit module leverages an arbitrary file write vulnerability (CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It abuses the `Import Packages` feature to upload a specially crafted package that embeds a PHP file. Cacti will extract this file to an accessible location. The module finally triggers the payload to execute arbitrary PHP code in the context of the user running the web server. Authentication is needed and the account must have access to the `Import Packages` feature. This is granted by setting the `Import Templates` permission in the `Template Editor` section.
Note 
Stability:
  - crash-safe
Reliability:
  - repeatable-session
SideEffects:
  - artifacts-on-disk
  - ioc-in-logs
Ransomware campaign use Unknown
Source publication date May 12, 2024
Platform Linux,PHP,Unix,Windows
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/cacti_package_import_rce.rb
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Found at http://seclists.org/fulldisclosure/2024/May/6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-17T04:00:38Z/ Found at http://seclists.org/fulldisclosure/2024/May/6
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-17T04:00:38Z/ Found at https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-17T04:00:38Z/ Found at https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-17T04:00:38Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
Exploit Prediction Scoring System (EPSS)
Percentile 0.99491
EPSS Score 0.88383
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T16:37:18.118362+00:00 Debian Oval Importer Import https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.0.0