CVE-2024-29895

CRITICAL EXPLOITED NUCLEI

Cacti 1.3.x DEV - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-29895 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including Stuub, apaz-dev, secunnix. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python script that exploits CVE-2024-29895, a command injection vulnerability in Cacti 1.3.x DEV. The exploit targets the `cmd_realtime.php` endpoint with a crafted GET request to achieve remote code execution.

Description

Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.

Exploits (6)

nomisec WORKING POC 23 stars
by Stuub · remote
https://github.com/Stuub/CVE-2024-29895-CactiRCE-PoC

This repository contains a functional Python script that exploits CVE-2024-29895, a command injection vulnerability in Cacti 1.3.x DEV. The exploit targets the `cmd_realtime.php` endpoint with a crafted GET request to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Cacti 1.3.x DEV
No auth needed
Prerequisites: PHP `register_argc_argv` option enabled · Presence of `cmd_realtime.php` endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 5 stars
by apaz-dev · poc
https://github.com/apaz-dev/CVE-2024-29895

The repository contains a functional Python PoC for CVE-2024-29895, a command injection vulnerability in Cacti 1.3.x dev branch. The exploit leverages the `poller_id` parameter in `cmd_realtime.php` to execute arbitrary commands when `register_argc_argv` is enabled.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Cacti 1.3.x dev
No auth needed
Prerequisites: Cacti 1.3.x dev branch · cmd_realtime.php accessible · register_argc_argv enabled
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by secunnix · remote
https://github.com/secunnix/CVE-2024-29895

This repository contains a functional exploit for CVE-2024-29895, a command injection vulnerability in Cacti. The exploit leverages the `register_argc_argv` PHP option being enabled to execute arbitrary commands via crafted HTTP requests to `/cacti/cmd_realtime.php`.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Cacti (versions affected by CVE-2024-29895)
No auth needed
Prerequisites: PHP `register_argc_argv` option enabled · Network access to the target Cacti instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by ticofookfook · remote
https://github.com/ticofookfook/CVE-2024-29895.py

This repository contains a functional Python script that exploits CVE-2024-29895, a command injection vulnerability in Cacti 1.3.x DEV builds via the `cmd_realtime.php` endpoint. The exploit constructs a malicious GET request with a command injection payload and executes arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Cacti 1.3.x DEV builds
No auth needed
Prerequisites: Target must have `cmd_realtime.php` endpoint accessible · POLLER_ID must be enabled
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/Rubioo02/CVE-2024-29895

This repository contains a functional exploit PoC for CVE-2024-29895, a command injection vulnerability in Cacti 1.3.x dev branch. The exploit leverages the `poller_id` parameter in `cmd_realtime.php` to execute arbitrary commands when `register_argc_argv` is enabled.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Cacti 1.3.x dev
No auth needed
Prerequisites: Cacti 1.3.x dev branch · cmd_realtime.php present · register_argc_argv enabled
devstral-2 · analyzed Feb 25, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/rubioo02/cve-2024-29895

The repository contains a functional Python-based exploit for CVE-2024-29895, a command injection vulnerability in Cacti 1.3.x dev branch. The exploit leverages the `poller_id` parameter in `cmd_realtime.php` to execute arbitrary commands when `register_argc_argv` is enabled.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Cacti 1.3.x dev
No auth needed
Prerequisites: Cacti 1.3.x dev with `cmd_realtime.php` present · PHP `register_argc_argv` enabled
devstral-2 · analyzed Feb 23, 2026 Full analysis →

Nuclei Templates (1)

Cacti cmd_realtime.php - Command Injection
CRITICALby pussycat0x
Shodan: http.favicon.hash:-1797138069
FOFA: icon_hash="-1797138069"

References (4)

Core 4

Scores

CVSS v3 10.0
EPSS 0.9322
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2024-08-06
CWE
CWE-77
Status published
Products (1)
Cacti/cacti = 1.3.x DEV
Published May 14, 2024
Tracked Since Feb 18, 2026