CVE-2024-43363 in Cacti
Summary
by MITRE • 10/08/2024
Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. This issue has been addressed in version 1.2.28 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/11/2025
This vulnerability exists within the Cacti performance and fault management framework, specifically targeting the logging mechanism and file handling processes. The flaw allows authenticated administrative users to manipulate the system through a carefully crafted hostname containing PHP code during device creation. The vulnerability is particularly concerning because it requires only the completion of step 5 in the installation process to establish the malicious payload, making it accessible to users with administrative privileges. The root cause stems from insufficient input validation and sanitization of user-supplied data, particularly in hostname fields that are later processed and written to log files without proper escaping or encoding mechanisms.
The technical execution of this vulnerability involves a multi-step attack chain that begins with administrative privilege abuse and culminates in remote code execution. When an administrator creates a device with a malicious hostname containing PHP code, this code gets embedded into the system's logging infrastructure. The vulnerability is classified as a log poisoning attack where the malicious PHP code becomes part of the log file content. Once the malicious hostname is processed and appears in the logs, the attacker can simply navigate to the log file URL, which effectively executes the PHP code contained within the log file. This represents a classic case of insecure deserialization and improper input handling in web applications.
The operational impact of this vulnerability is severe as it provides attackers with complete remote code execution capabilities within the Cacti environment. This allows for arbitrary command execution, privilege escalation, and potential lateral movement within the network. The vulnerability affects the integrity and confidentiality of the entire monitoring system, potentially exposing sensitive network data and allowing attackers to establish persistent access. The attack vector is particularly dangerous because it leverages legitimate administrative functions to create a backdoor, making detection more challenging and potentially allowing attackers to remain undetected for extended periods. This vulnerability aligns with CWE-77 and CWE-94 categories, representing insecure direct object references and code injection flaws respectively, while also mapping to ATT&CK techniques such as T1059 for command and script injection and T1566 for phishing with malicious attachments in the context of privilege escalation.
The remediation strategy involves upgrading to Cacti version 1.2.28 or later, which contains the necessary patches to address the input validation and sanitization issues. Organizations should immediately implement this upgrade across all affected systems and conduct thorough security assessments to ensure no malicious payloads were previously installed. Additional mitigations include implementing strict input validation policies, enforcing proper output encoding for log files, and monitoring administrative activities for suspicious device creation patterns. The vulnerability demonstrates the critical importance of validating and sanitizing all user inputs, particularly in administrative functions, and highlights the need for robust logging security practices. Security teams should also implement network monitoring to detect unusual access patterns to log files and consider implementing web application firewalls to prevent exploitation attempts. Organizations without immediate upgrade capabilities should consider implementing temporary network segmentation and access controls to limit administrative privileges and reduce the attack surface.