Fluid Attacks Database

Description

Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server. This vulnerability is fixed in 1.2.29.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	cacti	>=0 <1.2.28+ds1-4	1.2.28+ds1-4
debian 11	cacti	=1.2.16+ds1-2 \|\| =1.2.16+ds1-2+deb11u1 \|\| =1.2.16+ds1-2+deb11u2 \|\| =1.2.16+ds1-2+deb11u3 \|\| =1.2.16+ds1-2+deb11u4 \|\| >=0 <1.2.16+ds1-2+deb11u5	1.2.16+ds1-2+deb11u5
debian 12	cacti	=1.2.24+ds1-1 \|\| =1.2.24+ds1-1+deb12u1 \|\| =1.2.24+ds1-1+deb12u2 \|\| =1.2.24+ds1-1+deb12u3 \|\| =1.2.24+ds1-1+deb12u4 \|\| >=0 <1.2.24+ds1-1+deb12u5	1.2.24+ds1-1+deb12u5
debian 14	cacti	>=0 <1.2.28+ds1-4	1.2.28+ds1-4

Aliases

1. CVE-2025-243672. NVD-2025-243673. OSV-DEBIAN-2025-243674. OSV-2025-243675. SECURITY-TRACKER-CVE-2025-24367

References

1. https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC2. https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/cacti_graph_template_rce.rb

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.