Share
## https://sploitus.com/exploit?id=251A07B0-CC5A-5473-BEF2-C624471F27AE
# Cacti CVE-2025-24367 Authenticated RCE PoC

This repository contains a proof‑of‑concept exploit for **CVE‑2025‑24367**, an authenticated remote code execution vulnerability in Cacti.

The issue abuses insufficient input sanitization in graph template handling. By injecting malicious content into the **“Unix – Logged in Users”** graph template (ID 226), it is possible to write an arbitrary PHP file to the Cacti web root and execute commands on the server.

This PoC is intended for **lab environments, controlled testing, and research purposes only**.

---

## Vulnerability Summary

* **Product:** Cacti
* **Vulnerability:** Authenticated Remote Code Execution
* **CVE:** CVE‑2025‑24367
* **Attack Vector:** Graph template injection (RRDTool command context)
* **Authentication Required:** Yes (valid Cacti user)

The vulnerability exists due to unsafe handling of user‑controlled input in graph template fields, which are passed to RRDTool without adequate sanitization.

---

## Exploit Overview

The exploit works in two stages:

1. **Payload upload**
   A malicious graph template update causes Cacti to write a PHP file to disk, which downloads a bash reverse shell script from the attacker.

2. **Payload execution**
   The template is triggered again to execute the downloaded script, resulting in a reverse shell back to the attacker.

A temporary HTTP server is used to host the payload during exploitation.

---

## Requirements

* Python 3
* Network access to the target Cacti instance
* Valid Cacti credentials
* A listener on the attacker machine (e.g. `nc -lvnp 4444`)

Python dependencies:

```
pip install requests
```

---

## Usage

1. Start a listener on your machine:

```
nc -lvnp 4444
```

2. Run the exploit:

```
python3 exploit.py
```

3. Provide the requested information:

   * Base URL of the target (do **not** include `/cacti/`)
   * Valid Cacti username and password
   * Your IP address and listening port

If successful, a reverse shell should connect back to your listener.

---

## Notes

* The exploit assumes the **“Unix – Logged in Users”** graph template exists and uses template ID **226**.
* Payload timing and execution can be sensitive depending on the target environment.
* This code was written as a PoC and is not hardened for reliability or stealth.

---

## Disclaimer

This project is provided for **educational and research purposes only**. The author does not take responsibility for misuse. Only test systems you own or have explicit permission to assess.

---

## Credits

* Original vulnerability research and exploit techniques from the Cacti security community
* Base exploit logic inspired by public research from **TheCyberGeek**