The Cacti Group, Inc. has issued a security advisory warning users of a critical vulnerability (CVE-2025-22604) in its network monitoring software. This flaw could allow authenticated attackers to remotely execute code on vulnerable systems, potentially compromising sensitive data and disrupting network operations.
Cacti is a widely used open-source platform for monitoring network performance and availability. The vulnerability, with a CVSS score of 9.1, resides in the multi-line SNMP response parser. Attackers can exploit this flaw by injecting malformed Object Identifiers (OIDs) into SNMP responses, which are then processed by vulnerable functions like ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes().
“When processed, a part of each OID will be used as a key in an array that is used as part of a system command, causing a command execution vulnerability,” explains the advisory. This allows attackers to inject arbitrary commands that are executed with the privileges of the Cacti application.
The CVE-2025-22604 vulnerability stems from insufficient filtering of OIDs in multi-line SNMP responses. While the values are filtered, the OIDs themselves are not, enabling attackers to manipulate the array used in system command construction.
The implications of this vulnerability are severe. As noted in the advisory, “This vulnerability can allows authenticated users with device management permissions to execute code in the server, and steal, edit, or delete sensitive data.”
Security researcher u32i provided a step-by-step example of how this vulnerability could be exploited:
- Launch a custom SNMP agent to deliver a payload.
- Reconfigure the targeted device’s SNMP port to point to the custom agent.
- Apply the “Net-SNMP – Combined SCSI Disk I/O” template to the device’s graph.
- Access the graph tree for the device and select “View in Realtime” under the Combined SCSI Disk I/O graph.
The Cacti Group has released version 1.2.29 to address this vulnerability. All users are strongly urged to update their installations immediately. Organizations relying on Cacti for network monitoring should prioritize applying the necessary patches to mitigate the risk of compromise.
Related Posts:
- Cisco Systems exists Hardcoded Backdoor Account
- Cisco Patches Vulnerabilities in Integrated Management Controller, SNMP Implementation
- Cactus Ransomware Targets Qlik Sense Servers
- Cacti Network Monitoring Tool Patches Security Flaws, Including RCE Vulnerability
- Contiki-NG IoT OS Patches Critical Vulnerabilities
