CRITICAL🇵🇱 Wersja polska

CVE-2024-29895

CVSS 10.0v3.1pub. 2024-05-14upd. 2026-04-15

Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.

🤖 AI Analysis
How it works

The vulnerability lies in the `cmd_realtime.php` file (line 119), where the `$poller_id` variable is retrieved from the `$_SERVER['argv']` superglobal and passed without proper validation to a function executing system commands. When the PHP `register_argc_argv` option is enabled, the contents of this variable can be controlled by an attacker using parameters passed in the HTTP request URL. Importantly, the fix for this issue (commit 53e8014d) was introduced and subsequently reverted in a later commit (99633903), meaning the vulnerability exists in the code again.

Impact

An unauthenticated remote attacker can execute arbitrary system commands with the privileges of the web server process, which may lead to complete server compromise, data leakage, and violation of system confidentiality, integrity, and availability.

Mitigation & patch

Apply patches available from the vendor according to references (GitHub Security Advisory GHSA-cr28-x256-xf5m). Until the fix is applied, it is recommended to set the `register_argc_argv = Off` option in PHP configuration and restrict access to Cacti instances only to trusted IP addresses. Monitor the status of the commit fixing the vulnerability, as the previous fix (commit 53e8014d) was reverted.

Who is affected

Cacti in the 1.3.x development branch (DEV branch), on servers with the PHP `register_argc_argv` option enabled (enabled by default in, among others, the official PHP Docker image)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Container
CWE
References