CVE-2024-25641 PoC — Cacti RCE vulnerability when importing packages

Source

https://github.com/regantemudo/CVE-2024-25641-Exploit-for-Cacti-1.2.26

Associated Vulnerability

Title:Cacti RCE vulnerability when importing packages (CVE-2024-25641)
Description:Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.

Readme

# CVE-2024-25641 Exploit for Cacti 1.2.26

Exploiting CVE-2024-25641 on Cacti 1.2.26. When a user is authenticated, an arbitrary file write vulnerability allows Remote Code Execution (RCE).

---

## Overview
This script automates the process of exploiting **CVE-2024-25641** in **Cacti 1.2.26**. The vulnerability allows authenticated users with the `Import Templates` permission to achieve **Remote Code Execution (RCE)** via the `Package Import` feature.

📌 **Original Advisory:** [GitHub Security Advisory](https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88)

----
## Features
- ✅ **Fully Automated Exploitation**: Simplifies the attack process.
- ⚡ **Flexible Targeting**: Easily configure target URL, credentials, and payload.
- 📦 **Dependency Management**: Ensure smooth installation via `requirements.txt`.

## Prerequisites
Ensure you have the following installed:
- 🐍 **Python 3.x**
- 📜 Required Python modules (install via `requirements.txt`)

## Installation
Clone the repository:
```sh
git clone https://github.com/regantemudo/CVE-2024-25641-Exploit-for-Cacti-1.2.26.git
cd CVE-2024-25641-Exploit-for-Cacti-1.2.26
```

Install dependencies:
```sh
pip install -r requirements.txt
```

## Usage
### 🚀 Prepare Your PHP Payload
By default, the script uses `./php/reverse_shell.php` as the payload. Modify the IP address and port inside the PHP script accordingly.

### 🔥 Run the Exploit
```sh
python3 cacti_exploit.py <URL> <username> <password> [-p <payload_path>]
```

#### Arguments:
- 🌍 `URL`: The target Cacti URL.
- 👤 `username`: Login username.
- 🔑 `password`: Login password.
- 🛠️ `-p/--payload`: (Optional) Path to a custom PHP payload (default: `./php/reverse_shell.php`).

### ⚡ Execute the Payload
Once the script successfully uploads the PHP payload, execute it via the browser or directly through the script.

## Project Structure
```
CVE-2024-25641-Exploit-for-Cacti-1.2.26/
│── php/
|  ├── reverse_shell.php
│── README.md
│── cacti_exploit.py
│── requirements.txt
```

## ⚠️ Disclaimer
This tool is strictly for **educational and authorized penetration testing**. Unauthorized use is illegal and may lead to severe consequences. The authors hold no responsibility for any misuse or damage caused by this software.

File Snapshot


 [4.0K]  /data/pocs/0fad1ed16e4cc343122c00b6b0c8f86997981598
├── [4.6K]  cacti_exploit.py
├── [4.0K]  php
│   └── [5.4K]  reverse_shell.php
├── [2.3K]  README.md
└── [ 185]  requirements.txt

1 directory, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!