Search for vulnerabilities
| Vulnerability ID | VCID-khhn-9sja-sfgr |
| Aliases |
CVE-2025-24367
|
| Summary | Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server. This vulnerability is fixed in 1.2.29. |
| Status | Published |
| Exploitability | 2.0 |
| Weighted Severity | 7.8 |
| Risk | 10.0 |
| Affected and Fixed Packages | Package Details |
| Reference id | Reference type | URL |
|---|---|---|
| https://api.first.org/data/v1/epss?cve=CVE-2025-24367 | ||
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24367 | ||
| 1094574 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094574 | |
| c7e4ee798d263a3209ae6e7ba182c7b65284d8f0 | https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0 | |
| GHSA-fxrq-fr7h-9rqq | https://github.com/Cacti/cacti/security/advisories/GHSA-fxrq-fr7h-9rqq |
| Data source | Metasploit |
|---|---|
| Description | This module exploits an authenticated remote code execution vulnerability in Cacti versions prior to 1.2.29. Authenticated users can upload a graph template through the /graph_templates.php endpoint. The right_axis_label parameter is vulnerable to code injection, allowing attackers to execute arbitrary commands on the server. The payload is length limited, due to this constraint the module starts an HTTP server and hosts the payload. The initial payload downloads the full payload using curl from the attacker's server and saves it to the web root of the cacti server before executing. |
| Note | Stability: - crash-safe Reliability: - repeatable-session SideEffects: - config-changes - ioc-in-logs |
| Ransomware campaign use | Unknown |
| Source publication date | Jan. 27, 2025 |
| Platform | Linux,PHP,Unix,Windows |
| Source URL | https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/cacti_graph_template_rce.rb |
| Attack Vector (AV) | Attack Complexity (AC) | Attack Requirements (AT) | Privileges Required (PR) | User Interaction (UI) | Vulnerable System Impact Confidentiality (VC) | Vulnerable System Impact Integrity (VI) | Vulnerable System Impact Availability (VA) | Subsequent System Impact Confidentiality (SC) | Subsequent System Impact Integrity (SI) | Subsequent System Impact Availability (SA) |
|---|---|---|---|---|---|---|---|---|---|---|
network adjacent local physical |
low high |
none present |
none low high |
none passive active |
high low none |
high low none |
high low none |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Attack Requirements (AT) | Privileges Required (PR) | User Interaction (UI) | Vulnerable System Impact Confidentiality (VC) | Vulnerable System Impact Integrity (VI) | Vulnerable System Impact Availability (VA) | Subsequent System Impact Confidentiality (SC) | Subsequent System Impact Integrity (SI) | Subsequent System Impact Availability (SA) |
|---|---|---|---|---|---|---|---|---|---|---|
network adjacent local physical |
low high |
none present |
none low high |
none passive active |
high low none |
high low none |
high low none |
high low none |
high low none |
high low none |
| Percentile | 0.99606 |
| EPSS Score | 0.90486 |
| Published At | April 4, 2026, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-04-01T16:38:30.899622+00:00 | Debian Oval Importer | Import | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 38.0.0 |