CVE-2025-24367

CVE Database · CVE-2025-24367

CVE-2025-24367

· HIGHModified

CVSS v3.1

8.8

CVSS v4.0

8.7

EPSS

49.09%

Published

Jan 27, 2025

Modified

Nov 3, 2025

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server. This vulnerability is fixed in 1.2.29.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-144

Affected Products (1)

cacti · cacti (up to 1.2.29)vulnerable

References (4)

https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0

Patch

https://github.com/Cacti/cacti/security/advisories/GHSA-fxrq-fr7h-9rqq

ExploitVendor Advisory

https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html

https://github.com/Cacti/cacti/security/advisories/GHSA-fxrq-fr7h-9rqq

ExploitVendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs