← voltar
CVE-2005-10004

Cacti graph_view.php RCE via graph_start Parameter Injection

CVSS 8.7 HIGHEPSS 1.8%CWE-78
Vexday Risk Score
36Atenção
Decisão SSVC (CISA)
Attend
PoC disponível → acompanhar de perto
CVSS 8.7EPSS 1.8%KEV nãoPoC Nuclei Metasploit simPatch referenciado
Ciclo de vida
15 jan 2005Exploit Metasploit disponível
30 ago 2025Publicada no NVD
Recomendação: Planejar correção próxima — já existe PoC pública.
Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. An authenticated user can inject arbitrary shell commands via the graph_start GET parameter, which is improperly handled during graph rendering. This flaw allows attackers to execute commands on the underlying operating system with the privileges of the web server process, potentially compromising system integrity.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Produtos afetados
Raxnet/Ian Berry · Cacti