CVE-2025-24367: Cacti Graph Template authenticated RCE versions prior to 1.2.29

Exploitation Summary

EIP tracks 8 public exploits for CVE-2025-24367. PoCs published by TheCyberGeek, adminlove520, matesz44, including Metasploit module exploits/multi/http/cacti_graph_template_rce.

AI-analyzed exploit summary This repository contains a Python-based exploit for CVE-2025-24367, an authenticated remote code execution (RCE) vulnerability in Cacti. The exploit leverages a graph template manipulation to execute arbitrary commands via a reverse shell payload.

Description

Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server. This vulnerability is fixed in 1.2.29.

Exploits (8)

nomisec WORKING POC 28 stars

by TheCyberGeek · poc

https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC

View Code ZIP pw:eip

This repository contains a Python-based exploit for CVE-2025-24367, an authenticated remote code execution (RCE) vulnerability in Cacti. The exploit leverages a graph template manipulation to execute arbitrary commands via a reverse shell payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cacti (version not specified)

Auth required

Prerequisites: Valid Cacti credentials · Network access to the target Cacti instance · A listener set up for the reverse shell

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-24367

View Code ZIP pw:eip

The repository contains functional exploit code for multiple CVEs, including authentication bypass vulnerabilities in TOTOLINK devices and a scanner for Fortinet SSL VPN (CVE-2024-21762). The PoCs demonstrate the vulnerabilities with clear technical details and functional code.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: TOTOLINK LR350, TOTOLINK T6, Fortinet SSL VPN

No auth needed

Prerequisites: network access to the target device

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 1 stars

by matesz44 · poc

https://github.com/matesz44/CVE-2025-24367

View Code ZIP pw:eip

This PoC exploits an authenticated command injection vulnerability in Cacti via crafted graph template parameters. It logs in, injects a malicious RRD graph command, and retrieves the output via a generated PHP file.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cacti (version not specified)

Auth required

Prerequisites: valid credentials · curl installed · target accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by ShoshinMaster · poc

https://github.com/ShoshinMaster/CVE-2025-24367

View Code ZIP pw:eip

This is a functional exploit for CVE-2025-24367, an authenticated RCE vulnerability in Cacti. It leverages graph template manipulation to execute arbitrary commands via crafted RRDTool graph definitions, resulting in a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cacti (version not specified in PoC)

Auth required

Prerequisites: Valid Cacti credentials · Network access to target · Attacker-controlled HTTP server for payload delivery

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by SoftAndoWetto · poc

https://github.com/SoftAndoWetto/CVE-2025-24367-PoC-Cacti

View Code ZIP pw:eip

This is a functional PoC exploit for CVE-2025-24367, an authenticated RCE vulnerability in Cacti. It abuses insufficient input sanitization in graph template handling to write and execute a PHP file, resulting in a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cacti (version not specified)

Auth required

Prerequisites: Valid Cacti credentials · Network access to target · Listener on attacker machine

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by r3vpwnx · poc

https://github.com/r3vpwnx/CVE-2025-24367

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-24367, an authenticated RCE vulnerability in Cacti. The exploit leverages graph template manipulation to execute arbitrary commands via crafted RRD tool arguments.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cacti (version not specified)

Auth required

Prerequisites: Valid Cacti credentials · Access to graph template editing functionality

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 16, 2026 Full analysis →

nomisec WORKING POC

by r0tn3x · poc

https://github.com/r0tn3x/CVE-2025-24367

View Code ZIP pw:eip

This exploit leverages an authenticated RCE vulnerability in Cacti's graph template functionality by injecting malicious commands into the right_axis_label parameter, leading to arbitrary code execution. It uses a two-stage payload to fetch and execute a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cacti (version not specified)

Auth required

Prerequisites: Valid Cacti credentials · Network access to the target · Listener for reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by chutchut, Jack Heysel · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/cacti_graph_template_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated RCE vulnerability in Cacti versions prior to 1.2.29 by injecting malicious commands into the `right_axis_label` parameter of a graph template, which are then executed when the template is triggered.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cacti < 1.2.29

Auth required

Prerequisites: Valid Cacti credentials · Access to the graph_templates.php endpoint

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/Cacti/cacti/security/advisories/GHSA-fxrq-fr7h-9rqq

Patch x_refsource_misc

https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0

View Patch ZIP pw:eip

CVE-2025-24367

Cacti Graph Template authenticated RCE versions prior to 1.2.29

Exploitation Summary

Description

Exploits (8)

References (3)

Scores

CISA SSVC

Details