Cacti developers, known for their open-source systems for monitoring and controlling networks, have successfully eliminated 12 vulnerabilities, including two critical ones that could lead to the execution of arbitrary code.
Among the most serious vulnerabilities that have been corrected are:
- CVE-2024-25641 (CVSS rating of 9.1) – This vulnerability allowed authenticated users to execute arbitrary PHP code on a web server through the “Import of Packages” function.
- CVE-2024-29895 (CVSS rating of 10.0) – Vulnerability that allowed non-privileged users to execute arbitrary commands on the server.
In addition, two other critical vulnerabilities have been addressed, which could have potentially led to code execution through SQL injection and file inclusion:
- CVE-2024-31445 (CVSS rating of 8.8) – This vulnerability affected the SQL defenses in the API_automation.php API.
- cve-2024-31459 (Rating CVSS: not available) – Issue related to the Lib/Plugin.php file that could be exploited with SQL injection for remote code execution.
It is important to note that 10 out of the 12 vulnerabilities, excluding CVE-2024-29895 and cve-2024-30268, affect all versions of CACTI up to 1.2.26. These issues have been addressed in version 1.2
/Reports, release notes, official announcements.