CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-24368: Cacti has a SQL Injection vulnerability when using tree rules through Automation API

6.9 CVSS

Description

Cacti is an open source performance and fault management framework. Some of the data stored in automation_tree_rules.php is not thoroughly checked and is used to concatenate the SQL statement in build_rule_item_filter() function from lib/api_automation.php, resulting in SQL injection. This vulnerability is fixed in 1.2.29.

Classification

CVE ID: CVE-2025-24368

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.9

Affected Products

Vendor: Cacti

Product: cacti

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.72% (scored less or equal to compared to others)

EPSS Date: 2025-02-25 (when was this score calculated)

References

https://github.com/Cacti/cacti/security/advisories/GHSA-f9c7-7rc3-574c
https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0

Timeline

2025-01-28 00:31:13 UTC
CVE

Cacti has a SQL Injection vulnerability when using tree rules through Automation API