Full Report
A critical security flaw has been disclosed in the Cacti open-source network monitoring and fault management framework that could allow an authenticated attacker to achieve remote code execution on susceptible instances. The flaw, tracked as CVE-2025-22604, carries a CVSS score of 9.1 out of a maximum of 10.0. "Due to a flaw in the multi-line SNMP result parser, authenticated users can inject
Analysis Summary
# Vulnerability: Critical Cacti RCE via Malformed SNMP OID Parsing
## CVE Details
- CVE ID: CVE-2025-22604
- CVSS Score: 9.1 (Critical)
- CWE: (Not explicitly mentioned, but stems from improper input validation leading to command execution)
## Affected Systems
- Products: Cacti open-source network monitoring and fault management framework
- Versions: All versions prior to and including 1.2.28.
- Configurations: Requires an authenticated user with device management permissions.
## Vulnerability Description
The vulnerability exists within the multi-line SNMP result parser in Cacti. An authenticated user can submit a malformed Object Identifier (OID) in the SNMP response. When the function processes this input in `ss_net_snmp_disk_io()` or `ss_net_snmp_disk_bytes()`, a portion of the malformed OID is incorrectly used as a key in an array, which is then used as part of a system command. This results in an ability for the attacker to execute arbitrary code on the underlying server.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but prior Cacti vulnerabilities have been actively exploited.
- Complexity: Likely Medium (Requires authentication and knowledge of the vulnerable logic flow).
- Attack Vector: Network (Requires network access to the application and authentication).
## Impact
- Confidentiality: High (Potential to steal sensitive data)
- Integrity: High (Potential to edit system data)
- Availability: High (Potential to impact service availability via system command execution)
## Remediation
### Patches
- Cacti version 1.2.29 addresses CVE-2025-22604.
### Workarounds
- No specific workarounds detailed, but immediate patching is strongly advised due to the critical nature and RCE potential. Limiting access for authenticated users with device management permissions might temporarily reduce immediate risk, but is not a fix.
## Detection
- The core mechanism involves specially crafted SNMP OIDs in responses processed by disk I/O scripts derived from SNMP data.
- Monitoring system process execution originating from the Cacti application might reveal compromise if exploitation occurs. (Generic indicators: Unexpected shell execution or system command calls traced back to the Cacti process context).
## References
- Vendor Advisory (GitHub): https://github.com/Cacti/cacti/security/advisories/GHSA-c5j8-jxj3-hh36
- *Note: CVE-2025-24367 (RCE via graph creation) is also fixed in version 1.2.29.*