CVE-2025-45160 identifies an HTML injection vulnerability in the file upload functionality of Cacti versions up to 1.2.29. Specifically, when a user attempts to upload a file with an invalid format, the application generates an error popup that reflects the submitted filename back to the user interface without proper sanitization or encoding. This lack of input validation allows an attacker to inject arbitrary HTML elements such as <h1>, <b>, or <svg> tags into the rendered error message. While this vulnerability does not directly allow code execution, it can be leveraged to manipulate the user interface, conduct phishing attacks by injecting deceptive content, or potentially execute client-side scripts if combined with other vulnerabilities. The vulnerability arises from improper handling of user-supplied input in the error feedback mechanism, a common vector for injection attacks. No CVSS score has been assigned yet, and no known exploits have been reported in the wild as of the publication date. The vulnerability affects all Cacti instances up to version 1.2.29, a widely used open-source network monitoring tool. Given Cacti’s role in monitoring network performance and infrastructure, exploitation could undermine trust in monitoring data and potentially expose sensitive network information through manipulated UI elements.

For European organizations, exploitation of this vulnerability could lead to several adverse effects. Injected HTML content in error popups could be used to mislead administrators or users, potentially facilitating social engineering or phishing attacks within trusted network management interfaces. This could result in unauthorized access if attackers trick users into divulging credentials or executing malicious actions. Additionally, UI manipulation might degrade the integrity and reliability of monitoring data presentation, impacting operational decision-making. While the vulnerability does not directly compromise system availability or allow remote code execution, it undermines confidentiality and integrity of the user interface. Organizations in sectors with critical infrastructure monitored by Cacti, such as telecommunications, energy, and finance, could face increased risk. The absence of known exploits reduces immediate threat but does not eliminate the potential for future targeted attacks, especially as Cacti is commonly deployed in enterprise environments across Europe.

To mitigate this vulnerability, organizations should first verify if they are running Cacti versions up to 1.2.29 and plan to upgrade to a patched version once available. In the interim, administrators can implement strict input validation and sanitization on the server side to ensure that filenames and other user inputs are properly escaped before rendering in any UI components. Employing Content Security Policy (CSP) headers can help restrict the execution of injected scripts or malicious HTML. Additionally, restricting file upload types and enforcing file format validation can reduce the attack surface. Monitoring logs for unusual upload attempts or error popup anomalies may help detect exploitation attempts. Network segmentation and limiting access to the Cacti interface to trusted administrators can further reduce risk. Finally, educating users about the risks of interacting with unexpected UI elements can help mitigate social engineering vectors.