Update as soon as possible to protect vulnerable servers.
The developers of Cacti, an open source network monitoring and management system, have fixed 12 vulnerabilities, including two critical ones that lead to arbitrary code execution.
Here are the most serious of the patched vulnerabilities:
Two other critical vulnerabilities that could lead to code execution via SQL injection and file inclusion were also addressed:
It should be noted that 10 of the 12 vulnerabilities, with the exception of CVE-2024-29895 and CVE-2024-30268, affect all versions of Cacti up to and including 1.2.26. These issues were fixed in version 1.2.27, released on May 13, 2024. Two other vulnerabilities affect versions 1.3.x for developers.
This situation occurred with Cacti more than eight months after another critical SQL injection vulnerability ( CVE-2023-39361, CVSS 9.8) was identified, which allowed an attacker to gain elevated privileges and execute malicious code.
And in early 2023, a critical vulnerability under the identifier CVE-2022-46169 with a CVSS score of 9.8 allowed attackers to hack into Cacti servers accessible from the Internet to distribute MooBot and ShellBot botnets.
Since PoC exploits for the above vulnerabilities are already available in public GitHub repositories, it is recommended that you update your systems to the latest version as soon as possible to prevent potential threats.
The developers of Cacti, an open source network monitoring and management system, have fixed 12 vulnerabilities, including two critical ones that lead to arbitrary code execution.
Here are the most serious of the patched vulnerabilities:
- CVE-2024-25641 (CVSS 9.1 rating). A vulnerability when writing to an arbitrary file in the "Import packages" function that allows authenticated users with permission to "Import templates" to execute arbitrary PHP code on a web server, which can lead to remote code execution.
- CVE-2024-29895 (CVSS score 10.0). A command injection vulnerability that allows any unauthorized user to execute arbitrary commands on the server when the "register_argc_argv" option in PHP is enabled.
Two other critical vulnerabilities that could lead to code execution via SQL injection and file inclusion were also addressed:
- CVE-2024-31445 (CVSS score 8.8). SQL injection vulnerability in api_automation.php, which allows authenticated users to perform privilege escalation followed by remote code execution.
- CVE-2024-31459 (CVSS score: temporarily unavailable). File Inclusion Issue lib/plugin.php, which can be used together with the SQL injection vulnerability to execute remote code.
It should be noted that 10 of the 12 vulnerabilities, with the exception of CVE-2024-29895 and CVE-2024-30268, affect all versions of Cacti up to and including 1.2.26. These issues were fixed in version 1.2.27, released on May 13, 2024. Two other vulnerabilities affect versions 1.3.x for developers.
This situation occurred with Cacti more than eight months after another critical SQL injection vulnerability ( CVE-2023-39361, CVSS 9.8) was identified, which allowed an attacker to gain elevated privileges and execute malicious code.
And in early 2023, a critical vulnerability under the identifier CVE-2022-46169 with a CVSS score of 9.8 allowed attackers to hack into Cacti servers accessible from the Internet to distribute MooBot and ShellBot botnets.
Since PoC exploits for the above vulnerabilities are already available in public GitHub repositories, it is recommended that you update your systems to the latest version as soon as possible to prevent potential threats.
