CVE-2025-22604
Published: 27 January 2025
Summary
CVE-2025-22604 is a critical-severity OS Command Injection (CWE-78) vulnerability in Cacti Cacti. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identification, reporting, and correction of the command injection flaw in Cacti via timely patching to version 1.2.29.
Requires validation of SNMP OID inputs to prevent malformed OIDs from being processed into system commands by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes().
Enforces least privilege for authenticated high-privilege users, limiting the scope and impact of command execution even if malformed OIDs are injected.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability in Cacti web app enables exploitation of public-facing application for initial access and arbitrary system command execution via Unix shell.
NVD Description
Cacti is an open source performance and fault management framework. Due to a flaw in multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response. When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each OID will…
more
be used as a key in an array that is used as part of a system command, causing a command execution vulnerability. This vulnerability is fixed in 1.2.29.
Deeper analysisAI
CVE-2025-22604 is a command injection vulnerability (CWE-78) in Cacti, an open source performance and fault management framework. The flaw stems from improper handling in the multi-line SNMP result parser, where authenticated users can inject malformed Object Identifiers (OIDs) into SNMP responses. These OIDs are processed by the ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes() functions, which use a portion of each OID as a key in an array incorporated into a system command, enabling arbitrary command execution. The vulnerability affects Cacti versions prior to 1.2.29 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
An attacker with high-privilege authenticated access to the Cacti instance can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting and injecting malformed OIDs via SNMP responses, the attacker tricks the parser into constructing and executing arbitrary system commands on the underlying host. Successful exploitation grants full control over the system, including high confidentiality, integrity, and availability impacts, with a changed scope that may propagate effects beyond the vulnerable component.
Official advisories recommend updating to Cacti version 1.2.29, which includes a fix via commit c7e4ee798d263a3209ae6e7ba182c7b65284d8f0. The GitHub Security Advisory (GHSA-c5j8-jxj3-hh36) details the issue and patch, while Debian LTS announcements address backported fixes for affected distributions. No workarounds are specified beyond applying the update.
Details
- CWE(s)