CVE-2005-1526 in Cacti
Summary
by MITRE
PHP remote file inclusion vulnerability in config_settings.php in Cacti before 0.8.6e allows remote attackers to execute arbitrary PHP code via the config[include_path] parameter.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/22/2025
The vulnerability identified as CVE-2005-1526 represents a critical remote file inclusion flaw in the Cacti network monitoring system prior to version 0.8.6e. This vulnerability resides within the config_settings.php file and specifically targets the config[include_path] parameter, creating a pathway for remote attackers to execute arbitrary PHP code on the affected system. The flaw demonstrates characteristics consistent with CWE-88, which addresses improper neutralization of special elements used in an expression, and falls under the broader category of CWE-94, representing improper execution of code, particularly in the context of remote code execution through file inclusion mechanisms.
The technical exploitation of this vulnerability occurs when an attacker manipulates the config[include_path] parameter to include malicious PHP code from a remote server. This allows the attacker to inject and execute arbitrary PHP commands on the target system, potentially leading to complete system compromise. The vulnerability stems from insufficient input validation and sanitization within the Cacti application's configuration handling mechanism, where user-supplied input directly influences the file inclusion process without proper security checks. This type of vulnerability is classified under ATT&CK technique T1190, which involves exploiting vulnerabilities in remote services to gain unauthorized access and execute commands remotely.
The operational impact of this vulnerability is severe, as it enables attackers to gain full control over the affected Cacti server. Once exploited, the attacker can execute commands with the privileges of the web server process, potentially leading to data exfiltration, system enumeration, and further network infiltration. The vulnerability affects organizations using Cacti versions prior to 0.8.6e, which were widely deployed for network monitoring and performance tracking purposes. This creates significant risk for enterprises relying on network monitoring systems, as compromise of such systems can lead to loss of network visibility and potential lateral movement within the network infrastructure.
Organizations should immediately upgrade to Cacti version 0.8.6e or later to remediate this vulnerability, as no effective workarounds exist for this particular flaw. The patch addresses the root cause by implementing proper input validation and sanitization for the config[include_path] parameter, preventing malicious input from being processed as valid file paths. Security administrators should also implement network segmentation and access controls to limit exposure of the Cacti application to untrusted networks. Additionally, monitoring for suspicious requests containing unusual parameter values in the config[include_path] parameter can help detect potential exploitation attempts. The vulnerability highlights the critical importance of input validation in web applications and demonstrates how seemingly simple parameter handling can lead to catastrophic security implications, aligning with ATT&CK technique T1210 which covers exploitation of remote services for privilege escalation and command execution.