Cacti Network Monitoring Tool fixes multiple vulnerabilities, two critical
Take action: If you are using the Cacti network, the most severe issue is in the development version. If you are using the stable version, you should still plan on regular patching but not a panic mode effort.
Learn More
The maintainers of the Cacti network monitoring software have released an update to address several critical and high-severity vulnerabilities:
- CVE-2024-25641 (CVSS score 9.1) an arbitrary file write issue in the import_package() function. An authenticated adversary with "Import Templates" permission could exploit this flaw to execute arbitrary PHP code on the target server. The flaw affects Cacti versions 1.2.26 and earlier. The vulnerability has been patched in Cacti version 1.2.27.
- CVE-2024-29895 (CVSS score 10.0) command injection from an unauthenticated adversary when the register_argc_argv PHP option is enabled. This vulnerability affects the development versions 1.3.x. The vulnerability has been addressed in the latest development release.
- CVE-2024-31445 (CVSS score 8.8) an SQL injection vulnerability in api_automation.php could allow an authenticated attacker to escalate privileges and potentially achieve remote code execution. Patched in Cacti version 1.2.27.
- CVE-2024-31459 (CVSS score 8.0) a high-severity file inclusion vulnerability in lib/plugin.php could lead to remote code execution when combined with other SQL injection vulnerabilities. Patched in Cacti version 1.2.27.
- CVE-2024-30268 (CVSS score 6.1) a moderate-severity reflected XSS vulnerability in the development versions 1.3.x.
All users of the Cacti network monitoring tool are recommended to upgrade to version 1.2.27 or to the latest development version.
