CVE-2025-24367: 
Cacti vulnerability analysis and mitigation

CVE-2025-24367 is a security vulnerability discovered in Cacti, an open-source performance and fault management framework. The vulnerability allows an authenticated Cacti user to abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server. The issue was discovered in January 2025 and affects all versions of Cacti up to and including version 1.2.28, with a fix released in version 1.2.29 (GitHub Advisory).

The vulnerability stems from insufficient sanitization of user input in Cacti's rrdtool binary functionality. While the application attempts to sanitize potentially tainted user input by escaping shell metacharacters through the cacti_escapeshellarg function, it fails to properly handle newline characters. This oversight allows attackers to inject multiple newlines to execute separate commands on the rrdtool binary, including functionality such as RRD creation, restoration, and dump. The vulnerability has been assigned a CVSS v4.0 score of 8.7 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (NVD).

The exploitation of this vulnerability enables attackers to write arbitrary PHP scripts to the web root of the application, potentially leading to remote code execution on the server. This allows authenticated attackers to execute arbitrary code, potentially gaining control over the affected system and accessing, modifying, or deleting sensitive data (GitHub Advisory).

Organizations using Cacti should immediately upgrade to version 1.2.29 or later, which contains the fix for this vulnerability. The patch addresses the input sanitization issues and prevents the creation of arbitrary PHP scripts through the graph functionality (Hacker News).

The vulnerability has gained significant attention in the security community, with multiple Linux distributions including Debian releasing security updates to address the issue. Debian has marked this vulnerability as having 'unimportant' urgency in their security tracker, though they have released fixes for both bullseye and bookworm distributions (Debian Tracker).