CVE-2025-22604 Overview
CVE-2025-22604 is a command injection vulnerability in Cacti, an open source performance and fault management framework. Due to a flaw in the multi-line SNMP result parser, authenticated users can inject malformed OIDs in SNMP responses. When these malformed responses are processed by the ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes() functions, a part of each OID is used as a key in an array that becomes part of a system command, enabling arbitrary command execution on the underlying server.
Critical Impact
Authenticated attackers can achieve remote code execution on Cacti servers by exploiting improper input validation in SNMP response parsing, potentially leading to complete system compromise.
Affected Products
- Cacti versions prior to 1.2.29
- Cacti network monitoring framework installations using SNMP polling
- Systems running vulnerable Cacti instances with authenticated user access
Discovery Timeline
- 2025-01-27 - CVE CVE-2025-22604 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-22604
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw exists in Cacti's SNMP response parsing mechanism, specifically within the multi-line SNMP result parser that processes disk I/O and disk bytes metrics.
The vulnerability allows authenticated users to craft malicious SNMP responses containing specially formatted OIDs. When Cacti processes these responses through the ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes() functions, the parser fails to properly sanitize the OID values before incorporating them into system commands. This creates a direct path from user-controlled input to command execution on the server.
Root Cause
The root cause stems from insufficient input validation in the SNMP response parsing functions. The multi-line parser extracts OID components and uses portions of these values as array keys without proper sanitization. When these array values are subsequently used in system command construction, the unsanitized input enables command injection. The parser trusts that SNMP OID responses conform to expected formats, failing to account for malicious or malformed input from authenticated users who can influence SNMP response data.
Attack Vector
The attack requires authenticated access to the Cacti application. An attacker with valid credentials can manipulate SNMP responses by injecting malformed OIDs that contain shell metacharacters or command sequences. When the vulnerable functions process these crafted responses, the injected commands execute with the privileges of the Cacti web application process, typically allowing for complete server compromise.
The network-based attack vector requires no user interaction once the attacker has obtained authenticated access. The exploitation targets the disk monitoring functionality, making it particularly relevant for Cacti deployments that leverage SNMP for infrastructure monitoring.
Cacti CHANGELOG
-1.2.x
+1.2.29
+-security#GHSA-pv2c-97pp-vxwg: Local File Inclusion (LFI) Vulnerability via Poller Standard Error Log Path
+-security#GHSA-f9c7-7rc3-574c: SQL Injection vulnerability when using tree rules through Automation API
+-security#GHSA-vj9g-P7F2-4wqj: SQL Injection vulnerability when view host template
+-security#GHSA-fh3x-69rr-qqpp: SQL Injection vulnerability when request automation devices
+-security#GHSA-c5j8-jxj3-hh36: Authenticated RCE via multi-line SNMP responses
+-security#GHSA-fxrq-fr7h-9rqq: Arbitrary File Creation leading to RCE
-issue#5843: Issue with temporary tables with use of microtime
-issue#5847: Presets Time in Cacti 1.2.28 Not Automatically Updating...
-issue#5848: RRDfile Auto Clean not working
Source: GitHub Cacti Commit
Detection Methods for CVE-2025-22604
Indicators of Compromise
- Unusual SNMP response data containing shell metacharacters (;, |, $(), backticks) in OID values
- Unexpected process spawning from the Cacti web server process
- Anomalous disk I/O related SNMP queries with malformed OID patterns
- Web application logs showing repeated access to disk monitoring endpoints with unusual parameters
Detection Strategies
- Monitor Cacti application logs for SNMP parsing errors or unexpected exception handling
- Implement network-level inspection for SNMP responses containing suspicious character sequences
- Deploy endpoint detection to identify unauthorized child processes spawned by the web server
- Audit authentication logs for compromised accounts being used to access disk monitoring functions
Monitoring Recommendations
- Enable verbose logging for SNMP polling operations in Cacti
- Configure SIEM alerts for command execution patterns originating from web application contexts
- Implement file integrity monitoring on Cacti installation directories
- Monitor for unauthorized modifications to Cacti configuration or polling scripts
How to Mitigate CVE-2025-22604
Immediate Actions Required
- Upgrade Cacti to version 1.2.29 or later immediately
- Review and audit all authenticated user accounts for unauthorized access
- Restrict network access to Cacti management interfaces
- Implement additional authentication controls such as multi-factor authentication for administrative access
Patch Information
Cacti has addressed this vulnerability in version 1.2.29. The fix implements proper input sanitization for SNMP response parsing, ensuring that OID values are validated before being used in command construction. The security update also addresses several additional vulnerabilities including SQL injection and local file inclusion issues.
Organizations should obtain the patched version from the official Cacti repository. The specific commit addressing this vulnerability is available at the GitHub Cacti Security Commit. Additional details are available in the GitHub Security Advisory GHSA-c5j8-jxj3-hh36. Debian users should refer to the Debian LTS Announcement for distribution-specific updates.
Workarounds
- Limit authenticated access to Cacti to only trusted administrators
- Implement network segmentation to isolate Cacti servers from untrusted networks
- Disable SNMP disk monitoring features if not required for operational needs
- Deploy web application firewall rules to filter suspicious SNMP-related requests
# Verify current Cacti version
cat /var/www/html/cacti/include/cacti_version
# Update Cacti to patched version (example for manual installation)
cd /var/www/html/cacti
git fetch origin
git checkout release/1.2.29
# Restrict web access to Cacti (Apache example)
# Add to Apache configuration
<Directory /var/www/html/cacti>
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
