CVE-2024-25641

Published: 14/05/2024 Updated: 10/06/2024

Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.

Check Point Reference: CPAI-2024-0289 Date Published: 19 May 2024 Severity: Critical ...

Cacti versions 1226 and below suffer from a remote code execution execution vulnerability in importphp ...

This exploit module leverages an arbitrary file write vulnerability in Cacti versions prior to 1227 to achieve remote code execution It abuses the Import Packages feature to upload a specially crafted package that embeds a PHP file Cacti will extract this file to an accessible location The module finally triggers the payload to execute arbitra ...

This exploit module leverages an arbitrary file write vulnerability (CVE-2024-25641) in Cacti versions prior to 1227 to achieve RCE It abuses the `Import Packages` feature to upload a specially crafted package that embeds a PHP file Cacti will extract this file to an accessible location The module finall ...

This exploit module leverages an arbitrary file write vulnerability (CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It abuses the `Import Packages` feature to upload a specially crafted package that embeds a PHP file. Cacti will extract this file to an accessible location. The module finally triggers the payload to execute arbitrary PHP code in the context of the user running the web server. Authentication is needed and the account must have access to the `Import Packages` feature. This is granted by setting the `Import Templates` permission in the `Template Editor` section.

msf > use exploit/multi/http/cacti_package_import_rce
msf exploit(cacti_package_import_rce) > show targets
    ...targets...
msf exploit(cacti_package_import_rce) > set TARGET < target-id >
msf exploit(cacti_package_import_rce) > show options
    ...show and set options...
msf exploit(cacti_package_import_rce) > exploit

https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88 https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/http://seclists.org/fulldisclosure/2024/May/6 https://nvd.nist.gov https://packetstormsecurity.com/files/178584/Cacti-1.2.26-Remote-Code-Execution.html https://www.rapid7.com/db/modules/exploit/multi/http/cacti_package_import_rce/https://advisories.checkpoint.com/defense/advisories/public/2024/cpai-2024-0289.html

CVE-2024-25641

Vulnerability Summary

Vendor Advisories

Exploits

Metasploit Modules

References

Vulmon Search

About

Products

Connect