
A severe security vulnerability has been identified in Cacti, the popular open-source network monitoring framework. The flaw, designated as CVE-2025-22604, has received a critical CVSS score of 9.1 out of 10.0.
The vulnerability stems from a defect in the multi-line SNMP result parser, where authenticated users can inject malformed OIDs in the response. When processed by specific functions (ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes()), this flaw can lead to command execution vulnerability.
Impact and Risk:
– Authenticated users with device management access can execute arbitrary code
– Potential theft, modification, or deletion of sensitive data
– Affects all Cacti versions up to and including 1.2.28
An additional vulnerability, CVE-2025-24367 (CVSS 7.2), was also discovered, allowing authenticated attackers to create arbitrary PHP scripts in the application’s web root through graph creation and template functionality.
Resolution:
– Both vulnerabilities have been patched in version 1.2.29
– Organizations are strongly advised to update immediately
– Previous instances of Cacti vulnerabilities have been actively exploited
Credit for discovering the primary vulnerability goes to security researcher u32i.