Cacti Network Monitoring Software Patched for Critical Security Flaws (CVE-2024-25641)

Cacti, a widely used network monitoring tool, has released a critical security update to address multiple vulnerabilities, including a severe remote code execution (RCE) flaw. The most critical vulnerability, CVE-2024-25641, could allow authenticated attackers with the “Import Templates” permission to execute arbitrary PHP code on the affected web server.

Image: Cacti

Spotlight on Critical RCE Vulnerability

Among the most alarming vulnerabilities addressed in this update is CVE-2024-25641, with a CVSS score of 9.1. This vulnerability allows authenticated users with specific permissions to execute arbitrary PHP code via the framework’s package import functionality. This flaw originates from the import_package() function, which fails to adequately sanitize and validate file names and content within uploaded XML data, leading to potential arbitrary file writes on the web server.

Image: Egidio Romano

The exploit, demonstrated by a proof-of-concept PHP script provided by security researcher Egidio Romano, reveals the ease with which attackers could manipulate the import process to inject and execute malicious code, gaining unwarranted access to the system.

Additional Vulnerabilities and Fixes

The release also patches several other vulnerabilities, including:

• CVE-2024-34340 (CVSS 4.2): An authentication bypass issue related to older password hashes, which could allow unauthorized access under certain conditions.
• CVE-2024-31443 (CVSS 5.7) and CVE-2024-27082 (CVSS 7.6): Both vulnerabilities pertain to XSS flaws that could enable attackers to inject client-side scripts into web pages viewed by other users, manipulating web sessions.
• CVE-2024-31444 (CVSS 4.6), CVE-2024-31458 (CVSS 4.6), CVE-2024-31460, and CVE-2024-31445 (CVSS 8.8): These SQL injection flaws could allow attackers to interfere with the framework’s database queries, potentially leading to unauthorized data manipulation or access.
• CVE-2024-31459: An RCE vulnerability associated with the inclusion of files via plugins, potentially allowing attackers to execute arbitrary code.
• CVE-2024-29894: An XSS vulnerability in the JavaScript-based messaging API, which could be exploited to execute malicious scripts.

These vulnerabilities range in severity, with some allowing for cross-site scripting (XSS) attacks, while others could lead to SQL injection attacks or the execution of arbitrary code.

Urgent Call to Action for Cacti Users

Technical details and proof-of-concept code for these vulnerabilities have been made public, increasing the urgency for users to apply the latest Cacti update. All Cacti users are strongly encouraged to upgrade to version 1.2.27 or later immediately to mitigate the risk of exploitation.