CVE-2025-45160 identifies an HTML injection vulnerability in the widely used network monitoring tool Cacti, specifically in versions up to 1.2.29. The vulnerability occurs within the file upload feature when a user attempts to upload a file with an invalid format. Instead of properly sanitizing the filename before displaying it in an error popup, the application reflects the raw filename back into the HTML response. This lack of sanitization allows attackers to inject arbitrary HTML elements such as <h1>, <b>, or <svg> tags into the rendered page. While this is not a classic cross-site scripting (XSS) vulnerability, it can be leveraged to manipulate the page content, potentially misleading users or enabling further attacks if combined with other vulnerabilities. The CVSS score of 5.4 reflects a medium severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and limited confidentiality and integrity impact (C:L/I:L). Notably, multiple third parties and the Cacti maintainer have stated that the issue could not be reproduced after version 1.2.27, implying that fixes or changes in later versions may have mitigated or eliminated the vulnerability. No public exploits have been reported, reducing immediate risk. The vulnerability is classified under CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), emphasizing the importance of input sanitization. Since Cacti is often deployed in network monitoring environments, exploitation could allow attackers to inject misleading content into the monitoring interface, potentially obscuring alerts or causing confusion among administrators. However, the impact on system availability is negligible, and exploitation requires at least low-level privileges on the network, limiting the attack surface.

For European organizations, the primary impact of CVE-2025-45160 lies in the potential manipulation of the Cacti monitoring interface through injected HTML elements. This could lead to misinformation or confusion among network administrators, possibly delaying response to genuine network issues or masking malicious activity. The confidentiality impact is limited but could include exposure of sensitive filenames or metadata if combined with other vulnerabilities. Integrity is moderately affected as the attacker can alter the displayed content, but no direct data modification or system compromise is implied. Availability remains unaffected. Organizations relying heavily on Cacti for critical infrastructure monitoring, such as utilities, telecommunications, and government agencies, may face increased risk if attackers exploit this vulnerability to disrupt monitoring accuracy. The requirement for low privileges and network access means internal threat actors or attackers who have gained limited access could exploit this flaw. Given the absence of known exploits in the wild, the immediate risk is moderate, but the potential for targeted attacks exists, especially in sectors where network monitoring is vital for operational security.

European organizations should implement the following specific mitigations: 1) Upgrade Cacti installations to versions beyond 1.2.29, preferably the latest stable release, as the vulnerability appears unreproducible after 1.2.27, indicating fixes. 2) If upgrading is not immediately feasible, apply input validation and sanitization on the filename parameter in the file upload error handling code to neutralize HTML tags and special characters. 3) Restrict allowed file upload types strictly to expected formats to reduce the chance of invalid filenames triggering the vulnerability. 4) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious HTML injection attempts targeting the file upload endpoint. 5) Monitor logs for unusual file upload errors or unexpected HTML content in error messages. 6) Limit user privileges to the minimum necessary to reduce the risk of exploitation by low-privilege attackers. 7) Conduct security awareness training for administrators to recognize potential interface manipulation. 8) Regularly audit and review Cacti configurations and customizations to ensure no additional injection vectors exist. These targeted steps go beyond generic advice by focusing on the specific injection vector and operational context of Cacti deployments.