## https://sploitus.com/exploit?id=251A07B0-CC5A-5473-BEF2-C624471F27AE
# Cacti CVE-2025-24367 Authenticated RCE PoC
This repository contains a proofâofâconcept exploit for **CVEâ2025â24367**, an authenticated remote code execution vulnerability in Cacti.
The issue abuses insufficient input sanitization in graph template handling. By injecting malicious content into the **âUnix â Logged in Usersâ** graph template (ID 226), it is possible to write an arbitrary PHP file to the Cacti web root and execute commands on the server.
This PoC is intended for **lab environments, controlled testing, and research purposes only**.
---
## Vulnerability Summary
* **Product:** Cacti
* **Vulnerability:** Authenticated Remote Code Execution
* **CVE:** CVEâ2025â24367
* **Attack Vector:** Graph template injection (RRDTool command context)
* **Authentication Required:** Yes (valid Cacti user)
The vulnerability exists due to unsafe handling of userâcontrolled input in graph template fields, which are passed to RRDTool without adequate sanitization.
---
## Exploit Overview
The exploit works in two stages:
1. **Payload upload**
A malicious graph template update causes Cacti to write a PHP file to disk, which downloads a bash reverse shell script from the attacker.
2. **Payload execution**
The template is triggered again to execute the downloaded script, resulting in a reverse shell back to the attacker.
A temporary HTTP server is used to host the payload during exploitation.
---
## Requirements
* Python 3
* Network access to the target Cacti instance
* Valid Cacti credentials
* A listener on the attacker machine (e.g. `nc -lvnp 4444`)
Python dependencies:
```
pip install requests
```
---
## Usage
1. Start a listener on your machine:
```
nc -lvnp 4444
```
2. Run the exploit:
```
python3 exploit.py
```
3. Provide the requested information:
* Base URL of the target (do **not** include `/cacti/`)
* Valid Cacti username and password
* Your IP address and listening port
If successful, a reverse shell should connect back to your listener.
---
## Notes
* The exploit assumes the **âUnix â Logged in Usersâ** graph template exists and uses template ID **226**.
* Payload timing and execution can be sensitive depending on the target environment.
* This code was written as a PoC and is not hardened for reliability or stealth.
---
## Disclaimer
This project is provided for **educational and research purposes only**. The author does not take responsibility for misuse. Only test systems you own or have explicit permission to assess.
---
## Credits
* Original vulnerability research and exploit techniques from the Cacti security community
* Base exploit logic inspired by public research from **TheCyberGeek**