Pierluigi Paganini January 29, 2025

A critical flaw in Cacti open-source network monitoring and fault management framework that could allow remote code execution.

Cacti is an open-source platform that provides a robust and extensible operational monitoring and fault management framework for users.

A critical vulnerability, tracked as CVE-2025-22604 (CVSS score of 9.1), in the Cacti open-source framework could allow an authenticated attacker to achieve remote code execution on susceptible instances, and steal, edit, or delete sensitive data.

The flaw resides in the multi-line SNMP result parser and allows authenticated users to inject malformed OIDs. Upon processing them, it triggers a command execution issue by using part of the OID as a key in a system command array.

“Due to a flaw in the multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response,” reads the advisory published by the project maintainers. “When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each OID will be used as a key in an array that is used as part of a system command, causing a command execution vulnerability.”

The vulnerability was discovered by a researcher who goes by the moniker u32i, it impacts all versions before 1.2.29.

Project maintainers also fixed an Arbitrary File Creation vulnerability, tracked as CVE-2025-24367 (CVSS score: 7.2), that could lead to remote code execution.

“An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server.”reads the advisory.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cacti)