CVE-2025-22604
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
Cacti is an open source performance and fault management framework. Due to a flaw in multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response. When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each OID will be used as a key in an array that is used as part of a system command, causing a command execution vulnerability. This vulnerability is fixed in 1.2.29.
Analysis
Cacti versions prior to 1.2.29 contain an authenticated command injection through the SNMP result parser. By injecting malformed OIDs into SNMP responses, authenticated users can execute arbitrary system commands when the results are processed by the ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes() functions.
Technical Context
Cacti's SNMP poller parses multi-line results where parts of each OID are used as array keys that end up in system command strings. An authenticated user who can influence SNMP responses (through a compromised device or SNMP proxy) can inject crafted OIDs containing shell metacharacters. When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), the malicious OID component is executed as a system command.
Affected Products
['Cacti < 1.2.29']
Remediation
Update to Cacti 1.2.29 or later. Restrict device management permissions to trusted administrators. Validate SNMP response data before shell processing. Implement network segmentation between the monitoring server and monitored devices.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today