Vulnerability detail
Enriched intelligence for a single CVE
Critical
CVE-2024-29895
PUBLISHEDCacti command injection in cmd_realtime.php
- Vendor
- Cacti
- Product
- cacti
- Published
- May 13, 2024
- EPSS
- —
Automate this intelligence with the Pro API
Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.
Description
Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.
Weaknesses (CWE)
-
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploitation status
Exploited in the wild
Recorded 2026-06-08 00:00:00 UTC · The Shadowserver (via CIRCL)
Proof of concept available
Recorded 2024-05-17 22:03:29 UTC · GitHub
References
- https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m
- https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d
- https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc
- https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| The Shadowserver (via CIRCL) First | 2025-06-26 00:00 UTC |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-29895.yaml | Apr 25, 2025 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2024-05-17 22:03:29 UTC · 4 stars
CVE-2024-29895 | RCE on CACTI 1.3.X dev
github · Created 2024-05-15 13:11:45 UTC · 21 stars
CVE-2024-29895 PoC - Exploiting remote command execution in Cacti servers using the 1.3.X DEV branch builds
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Proof of Concept Exploit Available
-
Detected by Nuclei
-
Added to KEVIntel