Critical Security Flaw in Cacti Open-Source Network Monitoring Framework

Date: January 29, 2025

Author: Ravie Lakshmanan

Categories: Vulnerability, Threat Intelligence

A critical security flaw has been disclosed in the Cacti open-source network monitoring and fault management framework, which could allow an authenticated attacker to achieve remote code execution on susceptible instances. The flaw, tracked as CVE-2025-22604, carries a CVSS score of 9.1 out of a maximum of 10.0.

The Flaw

Due to a flaw in the multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response. When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each OID will be used as a key in an array that is used as part of a system command, causing a command execution vulnerability.

Exploitation and Impact

Successful exploitation of the vulnerability could permit an authenticated user with device management permissions to execute arbitrary code in the server, and steal, edit, or delete sensitive data.

Affected Versions and Patch

CVE-2025-22604 affects all versions of the software prior to and including 1.2.28. It has been addressed in version 1.2.29. A security researcher who goes by the online alias u32i has been credited with discovering and reporting the flaw.

Additionally, CVE-2025-24367 (CVSS score: 7.2) has been addressed in the latest version, which could permit an authenticated attacker to create arbitrary PHP scripts in the web root of the application by abusing the graph creation and graph template functionality, leading to remote code execution.

Prioritization

With security vulnerabilities in Cacti having come under active exploitation in the past, organizations relying on the software for network monitoring should prioritize applying the necessary patches to mitigate the risk of compromise.