CVE-2025-66399 Overview
Cacti is an open source performance and fault management framework used to graph network device metrics via Simple Network Management Protocol (SNMP). CVE-2025-66399 is an input validation flaw in the SNMP device configuration functionality affecting Cacti versions prior to 1.2.29. Authenticated users can submit crafted SNMP community strings containing control characters, including newlines, that are stored verbatim in the database and later embedded into backend SNMP operations. When downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries, this behavior can lead to command execution with the privileges of the Cacti process. The weakness is tracked as [CWE-77] Improper Neutralization of Special Elements used in a Command.
Critical Impact
Authenticated attackers can achieve command execution on the Cacti host by injecting newline-laced SNMP community strings into device configurations.
Affected Products
- Cacti versions prior to 1.2.29
- Deployments using SNMP device polling with downstream wrappers
- Self-hosted Cacti instances exposing authenticated device management
Discovery Timeline
- 2025-12-02 - CVE-2025-66399 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-66399
Vulnerability Analysis
The flaw resides in how Cacti handles SNMP community strings supplied through device configuration forms. The application accepts the user-supplied value without rejecting or escaping control characters such as line feeds and carriage returns. The community string is persisted to the database in its raw form and later concatenated into SNMP operations performed by backend tooling. When these wrappers parse multi-line input as separate directives or arguments, the injected payload escapes the intended SNMP context. The resulting commands execute under the same operating system account as the Cacti poller process. Because Cacti is commonly granted broad network reachability for monitoring, a successful compromise gives attackers a strong pivot point into managed infrastructure.
Root Cause
The root cause is missing neutralization of control characters in the SNMP community string field. Cacti treats the value as opaque text rather than validating it against the strict character set permitted by SNMPv1 and SNMPv2c community strings. No allowlist, length check, or stripping of newline sequences is applied before database storage or shell-adjacent use.
Attack Vector
Exploitation requires an authenticated Cacti session with permission to create or modify devices. The attacker submits a community string that embeds a newline followed by attacker-controlled tokens. When the poller subsequently runs an SNMP operation against the device, the wrapper interprets the additional line as new commands or arguments. The vulnerability is reachable over the network and does not require user interaction beyond the attacker's own authenticated request.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-c7rr-2h93-7gjf for the maintainers' technical description.
Detection Methods for CVE-2025-66399
Indicators of Compromise
- Device records in the Cacti database containing newline (\n) or carriage return (\r) characters within the SNMP community string column.
- Poller log entries showing unexpected commands or shell errors invoked during SNMP polling cycles.
- Outbound network connections initiated by the Cacti service account to hosts unrelated to monitored devices.
Detection Strategies
- Query the Cacti host table for community strings containing control characters and review device creation history for the responsible account.
- Audit web server logs for POST requests to host.php and device-edit endpoints submitting unusually long or encoded community string parameters.
- Compare deployed Cacti version against 1.2.29 to identify unpatched instances exposed to authenticated users.
Monitoring Recommendations
- Monitor the Cacti service account for unexpected child processes spawned outside the normal poller binary chain.
- Alert on file system writes or cron modifications performed by the Cacti or web server user identity.
- Track changes to device configuration tables and flag bulk modifications by non-administrator accounts.
How to Mitigate CVE-2025-66399
Immediate Actions Required
- Upgrade Cacti to version 1.2.29 or later on all monitoring servers.
- Review existing device records for community strings containing control characters and remove or correct them.
- Rotate SNMP community strings and Cacti user credentials suspected of abuse following the upgrade.
- Restrict device creation and editing permissions to a minimal set of trusted administrators.
Patch Information
The vendor fixed this issue in Cacti 1.2.29. Patch details and affected commits are documented in the Cacti GitHub Security Advisory GHSA-c7rr-2h93-7gjf. Apply the upstream release rather than backporting, because the fix tightens input validation across multiple SNMP code paths.
Workarounds
- Limit Cacti console access to a trusted network segment using firewall rules or a reverse proxy with authentication.
- Remove the device administration role from non-essential accounts until the upgrade is complete.
- Run the Cacti poller under a dedicated, low-privilege service account with no shell login and restricted file system permissions.
# Example: query for community strings containing newline or carriage return
mysql -u cacti -p cacti -e \
"SELECT id, description, snmp_community FROM host \
WHERE snmp_community REGEXP '[\r\n]';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
