CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-25641

High Severity
Cacti
SVRS
60/100
CVSSv3
9.1/10
EPSS
0.80004/1

CVE-2024-25641 in Cacti allows authenticated users with "Import Templates" permission to execute arbitrary PHP code. This arbitrary file write vulnerability is triggered through the "Package Import" feature, enabling malicious PHP code execution.

The vulnerability exists in the import_package() function within /lib/import.php, where filenames and content from XML data are blindly trusted, potentially writing or overwriting critical files. Although the CVSS score is 9.1, the SOCRadar Vulnerability Risk Score (SVRS) is 60, suggesting a moderate level of risk, though active exploits are available. While not critical based on SVRS alone, organizations should prioritize patching to version 1.2.27 given that active exploits exist "In The Wild." This vulnerability is significant because successful exploitation can lead to complete compromise of the Cacti system and the underlying web server. This highlights the importance of patching promptly to avoid potential security breaches.

TAGS
In The Wild
Exploit Avaliable
X_refsource_CONFIRM
X_refsource_MISC
Exploit Available
VECTOR STRING
CVSS:3.1
AV:N
AC:L
PR:H
UI:N
S:C
C:H
I:H
A:H
PUBLICATION DATE2024-05-13
LAST MODIFIED2025-02-13
Eye Icon
SOCRadar
AI Insight

Description

CVE-2024-25641 is a vulnerability with a CVSS score of 0, indicating a low severity. However, SOCRadar's SVRS assigns it a score of 30, highlighting the potential for exploitation. This discrepancy stems from SOCRadar's integration of additional intelligence sources, including social media, news, and dark web data.

Key Insights

  • Active Exploitation: The vulnerability is actively exploited in the wild, posing an immediate threat to organizations.
  • Low CVSS Score: The CVSS score of 0 may underestimate the severity of the vulnerability, as it does not consider the broader context and intelligence gathered by SOCRadar.
  • SVRS Score of 30: The SVRS score of 30 indicates a moderate level of risk, warranting attention and prompt mitigation.
  • Threat Actors: Specific threat actors or APT groups exploiting this vulnerability have not been identified at this time.

Mitigation Strategies

  • Apply Software Updates: Install the latest software updates and patches to address the vulnerability.
  • Enable Intrusion Detection Systems (IDS): Implement IDS to detect and block malicious activity targeting the vulnerability.
  • Restrict Network Access: Limit access to vulnerable systems and services to reduce the attack surface.
  • Educate Users: Train users on security best practices and the importance of reporting suspicious activity.

Additional Information

  • The Cybersecurity and Infrastructure Security Agency (CISA) has not yet issued a warning for this vulnerability.
  • Users with additional queries can utilize the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for further assistance.

Indicators of Compromise

No IOCs found for this CVE

Exploits

TitleSoftware LinkDate
thisisveryfunny/CVE-2024-25641-RCE-Automated-Exploit-Cacti-1.2.26https://github.com/thisisveryfunny/CVE-2024-25641-RCE-Automated-Exploit-Cacti-1.2.262024-08-27
Safarchand/CVE-2024-25641https://github.com/Safarchand/CVE-2024-256412024-08-27
StopThatTalace/CVE-2024-25641-CACTI-RCE-1.2.26https://github.com/StopThatTalace/CVE-2024-25641-CACTI-RCE-1.2.262024-08-29
XiaomingX/cve-2024-25641-pochttps://github.com/XiaomingX/cve-2024-25641-poc2024-11-22
D3Ext/CVE-2024-25641https://github.com/D3Ext/CVE-2024-256412025-01-05
regantemudo/CVE-2024-25641-Exploit-for-Cacti-1.2.26https://github.com/regantemudo/CVE-2024-25641-Exploit-for-Cacti-1.2.262025-03-17
Cacti 1.2.26 - Remote Code Execution (RCE) (Authenticated)https://github.com/Cacti/cacti/archive/refs/tags/release/1.2.26.zip2025-04-15
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

CVE-2024-25641 | Cacti up to 1.2.26 Package Import /lib/import.php import_package code injection
vuldb.com2024-12-18
CVE-2024-25641 | Cacti up to 1.2.26 Package Import /lib/import.php import_package code injection | A vulnerability was found in Cacti up to 1.2.26. It has been rated as critical. Affected by this issue is the function import_package in the library /lib/import.php of the component Package Import. The manipulation leads to code injection. This vulnerability is handled as <a href="https://
vuldb.com
rss
forum
news
Tageszusammenfassung - 14.05.2024
CERT.at2024-05-14
Tageszusammenfassung - 14.05.2024 | End-of-Day report Timeframe: Montag 13-05-2024 18:00 - Dienstag 14-05-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a News PyPi package backdoors Macs using the Sliver pen-testing suite A new package mimicked the popular requests library on the Python Package Index (PyPI) to target macOS devices with the Sliver C2 adversary framework, used for gaining initial access to corporate .. https://www.bleepingcomputer.com
cve-2024-25641
cve-2024-23296
cve-2024-4761
domains
FOCUS FRIDAY: TPRM INSIGHTS ON POLYFILL SUPPLY CHAIN ATTACK AND MOVEit, CISCO NX-OS, OPENSSH, APACHE TOMCAT, PROGRESS’ WHATSUP GOLD, AND MICROSOFT MSHTML VULNERABILITIES
Ferdi Gül2024-07-12
FOCUS FRIDAY: TPRM INSIGHTS ON POLYFILL SUPPLY CHAIN ATTACK AND MOVEit, CISCO NX-OS, OPENSSH, APACHE TOMCAT, PROGRESS’ WHATSUP GOLD, AND MICROSOFT MSHTML VULNERABILITIES | Written By: Ferdi GulContributor: Ferhat Dikbiyik Welcome to this week&#8217;s Focus Friday blog, where we delve into critical vulnerabilities impacting today&#8217;s digital landscape from a Third-Party Risk Management (TPRM) perspective. In this edition, we explore significant threats associated with Progress’ MOVEit, Cisco NX-OS, OpenSSH, Apache Tomcat, Polyfill, Progress’ WhatsUp Gold, Microsoft MSHTML. Understanding these vulnerabilities [&#8230;] The post <a href
cve-2024-5806
cve-2024-29849
cve-2024-23692
cve-2024-4577
20th May – Threat Intelligence Report
hagarb2024-05-20
20th May – Threat Intelligence Report | For the latest discoveries in cyber research for the week of 20th May, please download our Threat_Intelligence Bulletin. TOP ATTACKS AND BREACHES Australian electronic prescriptions provider MediSecure suffered a significant ransomware attack, leading to widespread disruptions and data breaches. The impact of the attack has been profound, broadly affecting healthcare data broadly in the country. [&#8230;] The post 20th May – Threat Intelligence Report appeared first on Check Point Research
cve-2024-30046
cve-2024-22267
cve-2024-30051
cve-2024-30040
Metasploit Weekly Wrap-Up 06/14/2024
Alan David Foster2024-06-14
Metasploit Weekly Wrap-Up 06/14/2024 | This weeks Metasploit Weekly Wrap-Up includes 5 new module contents, 4 enhancements and features, and some bug fixes. Learn more about the updates.New module content (5) Telerik Report Server Auth Bypass Authors: SinSinology and Spencer McIntyre Type: Auxiliary Pull request: #19242<
cve-2024-25641
cve-2022-41034
cve-2024-23692
cve-2024-1800
FOCUS FRIDAY: Addressing the PHP-CGI, Microsoft MSMQ, and Rejetto HFS Vulnerabilities: A TPRM Approach
Ferdi Gül2024-06-14
FOCUS FRIDAY: Addressing the PHP-CGI, Microsoft MSMQ, and Rejetto HFS Vulnerabilities: A TPRM Approach | Written By: Ferdi GulContributor: Ferhat Dikbiyik Welcome to this week’s Focus Friday, where we delve into critical vulnerabilities reshaping Third-Party Risk Management (TPRM) practices. Today, we spotlight three high-profile issues: PHP-CGI, Microsoft Message Queuing (MSMQ), and Rejetto HTTP File Server (HFS) incidents. Our discussion will cover the specifics of these incidents and illustrate how Black [&#8230;] The post FOCUS FRIDAY: Addressing the PHP-CGI, Microsoft
normshield.com
rss
forum
news
FOCUS FRIDAY: Addressing the Veeam SPC and Cacti Vulnerabilities: A TPRM Approach
Ferdi Gül2024-05-17
FOCUS FRIDAY: Addressing the Veeam SPC and Cacti Vulnerabilities: A TPRM Approach | Welcome to this week’s Focus Friday, where we delve into critical vulnerabilities that are reshaping Third-Party Risk Management (TPRM) practices. Today, we spotlight two high-profile issues: the Veeam Service Provider Console and Cacti incidents. Our discussion will not only cover the specifics of these incidents but also illustrate how Black Kite’s FocusTags™ can drive proactive [&#8230;] The post FOCUS FRIDAY: Addressing the Veeam SPC and Cacti Vulnerabilities: A
normshield.com
rss
forum
news

Social Media

Write up time! MonitorsThree from @hackthebox_eu is featuring an SQL injection vulnerability and CVE-2024-25641 for the user part. Privilege escalation is achieved by exploiting the backup software Duplicati. Link --&gt; https://t.co/oVD9eb3JTZ
0
0
1
MonitorsTree is a medium machine from @hackthebox_eu: SQLi in forgot_password=&gt;admin pass=&gt; CVE-2024-25641=&gt;RCE through a malicious package import in cacti=&gt;exploit an internal Duplicato instance=&gt;bypass auth=&gt;abuse backup creation feature to get our root https://t.co/f0XR7es4nc
0
0
1
MonitorsThree HackTheBox Writeup https://t.co/SXpJ53qArK #writeup #hackthebox #monitorsthree #cacti #rce #sqli #CVE-2024-25641 #duplicati https://t.co/dJ2SfrjKjr
0
0
1
Introducing Fully automated exploit script for CVE-2024-25641 ! Check out the repo and try it ! https://t.co/1vK897DIOb
0
0
0
CVE-2024-25641 Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Pack… https://t.co/eqPPnsTp89
0
0
0
#Cacti, a widely used network monitoring tool, has released a critical security update to address multiple #vulnerabilities, including a severe #RCE (CVE-2024-25641) #vulnerability. The technical details and #PoC have been published. https://t.co/cwe6Eq9bub
0
0
0
🗣 Cacti Network Monitoring Software Patched for Critical Security Flaws (CVE-2024-25641) https://t.co/tap4eQjfu8 #security #cybernews #cybersecurity #fridaysecurity #linkedin #twitter #telegram
0
0
0

Affected Software

Configuration 1
TypeVendorProduct
AppCacticacti
Configuration 2
TypeVendorProduct
OSFedoraprojectfedora

References

ReferenceLink
[email protected]https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210
[email protected]https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88
[email protected]http://seclists.org/fulldisclosure/2024/May/6
[email protected]https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210
[email protected]https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88
[email protected]https://lists.fedoraproject.org/archives/list/[email protected]/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
AF854A3A-2127-422B-91AE-364DA2661108http://seclists.org/fulldisclosure/2024/May/6
AF854A3A-2127-422B-91AE-364DA2661108https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210
AF854A3A-2127-422B-91AE-364DA2661108https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88
AF854A3A-2127-422B-91AE-364DA2661108https://lists.fedoraproject.org/archives/list/[email protected]/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
[email protected]http://seclists.org/fulldisclosure/2024/May/6
[email protected]https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210
[email protected]https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88
[email protected]https://lists.fedoraproject.org/archives/list/[email protected]/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
HTTPS://GITHUB.COM/CACTI/CACTI/COMMIT/EFF35B0FF26CC27C82D7880469ED6D5E3BEF6210https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210
HTTPS://GITHUB.COM/CACTI/CACTI/SECURITY/ADVISORIES/GHSA-7CMJ-G5QC-PJ88https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88
GITHUBhttps://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88

CWE Details

CWE IDCWE NameDescription
CWE-20Improper Input ValidationThe product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence