NA

CVE-2024-25641

Published: 14/05/2024 Updated: 10/06/2024

Vulnerability Summary

Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.

Vendor Advisories

Check Point Reference: CPAI-2024-0289 Date Published: 19 May 2024 Severity: Critical ...

Exploits

Cacti versions 1226 and below suffer from a remote code execution execution vulnerability in importphp ...
This exploit module leverages an arbitrary file write vulnerability in Cacti versions prior to 1227 to achieve remote code execution It abuses the Import Packages feature to upload a specially crafted package that embeds a PHP file Cacti will extract this file to an accessible location The module finally triggers the payload to execute arbitra ...
This exploit module leverages an arbitrary file write vulnerability (CVE-2024-25641) in Cacti versions prior to 1227 to achieve RCE It abuses the `Import Packages` feature to upload a specially crafted package that embeds a PHP file Cacti will extract this file to an accessible location The module finall ...

Metasploit Modules

Cacti Import Packages RCE

This exploit module leverages an arbitrary file write vulnerability (CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It abuses the `Import Packages` feature to upload a specially crafted package that embeds a PHP file. Cacti will extract this file to an accessible location. The module finally triggers the payload to execute arbitrary PHP code in the context of the user running the web server. Authentication is needed and the account must have access to the `Import Packages` feature. This is granted by setting the `Import Templates` permission in the `Template Editor` section.

msf > use exploit/multi/http/cacti_package_import_rce
msf exploit(cacti_package_import_rce) > show targets
    ...targets...
msf exploit(cacti_package_import_rce) > set TARGET < target-id >
msf exploit(cacti_package_import_rce) > show options
    ...show and set options...
msf exploit(cacti_package_import_rce) > exploit