CVE-2024-29895
CVE-2024-29895 is a critical-severity vulnerability with a CVSS 3.x base score of 10.0. Its EPSS exploit-prediction score of 94% places it in the 100th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-77.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- EPSS exploit prediction: 94% (100th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-26876
- Weakness: CWE-77
- Published:
- Last modified:
Description
Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.
Frequently asked questions
- What is CVE-2024-29895?
- Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.
- How severe is CVE-2024-29895?
- CVE-2024-29895 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-29895 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 94% (100th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2024-29895?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2024-29895 have an EU (EUVD) identifier?
- Yes. CVE-2024-29895 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-26876.
- When was CVE-2024-29895 published?
- CVE-2024-29895 was published on 2024-05-14 and last updated on 2026-06-17.
References
- https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119
- https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d
- https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc
- https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m
Other CWE-77 (Command Injection) vulnerabilities
- CVE-2026-23652 — Critical (CVSS 10.0): Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an…
- CVE-2025-59818 — Critical (CVSS 10.0): This vulnerability allows authenticated attackers to execute arbitrary commands on the underlying system using the file…
- CVE-2025-64093 — Critical (CVSS 10.0): Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the…
- CVE-2025-64090 — Critical (CVSS 10.0): This vulnerability allows authenticated attackers to execute commands via the hostname of the device.
- CVE-2025-61492 — Critical (CVSS 10.0): A command injection vulnerability in the execute_command function of terminal-controller-mcp 0.1.7 allows attackers to…
- CVE-2025-10035 — Critical (CVSS 10.0): A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged…