The maintainers of the Cacti open up-source network monitoring and fault management framework have dealt with a dozen security flaws, together with two critical issues that could direct to the execution of arbitrary code.
The most severe of the vulnerabilities are outlined below –
- CVE-2024-25641 (CVSS rating: 9.1) – An arbitrary file generate vulnerability in the “Bundle Import” aspect that enables authenticated people owning the “Import Templates” authorization to execute arbitrary PHP code on the web server, ensuing in distant code execution
- CVE-2024-29895 (CVSS rating: 10.) – A command injection vulnerability enables any unauthenticated person to execute arbitrary command on the server when the “sign up_argc_argv” option of PHP is On
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
Also tackled by Cacti are two other high-severity flaws that could lead to code execution by way of SQL injection and file inclusion –
- CVE-2024-31445 (CVSS score: 8.8) – An SQL injection vulnerability in api_automation.php that permits authenticated consumers to carry out privilege escalation and remote code execution
- CVE-2024-31459 (CVSS score: N/A) – A file inclusion issue in the “lib/plugin.php” file that could be combined with SQL injection vulnerabilities to final result in remote code execution
It truly is value noting that 10 out of the 12 flaws, with the exception of CVE-2024-29895 and CVE-2024-30268 (CVSS rating: 6.1), affect all variations of Cacti, like and prior to 1.2.26. They have been addressed in variation 1.2.27 introduced on May possibly 13, 2024. The two other flaws have an affect on the growth variations 1.3.x.
The improvement comes more than eight months just after the disclosure of a further critical SQL injection vulnerability (CVE-2023-39361, CVSS score: 9.8) that could permit an attacker to get hold of elevated permissions and execute destructive code.
In early 2023, a 3rd critical flaw tracked as CVE-2022-46169 (CVSS score: 9.8) arrived underneath lively exploitation in the wild, allowing menace actors to breach internet-exposed Cacti servers to provide botnet malware these types of as MooBot and ShellBot.
With evidence-of-strategy (PoC) exploits publicly accessible for these shortcomings (in the respective GitHub advisories), it is suggested that people get actions to update their occasions to the hottest variation as shortly as possible to mitigate opportunity threats.
Discovered this short article fascinating? Follow us on Twitter and LinkedIn to examine a lot more distinctive content we post.
Some sections of this write-up are sourced from:
thehackernews.com