CVE-2025-22604
Published: 27 January 2025
Summary
CVE-2025-22604 is a critical-severity OS Command Injection (CWE-78) vulnerability in Cacti Cacti. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Cacti, an open source performance and fault management framework, is affected by CVE-2025-22604, a command injection flaw stemming from improper handling in its multi-line SNMP result parser. Authenticated users can supply malformed OIDs that are processed by the functions ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), allowing portions of each OID to serve as array keys incorporated directly into system commands. The issue is tracked under CWE-78 and carries a CVSS 3.1 score of 9.1.
An attacker with valid credentials can exploit the vulnerability over the network to execute arbitrary commands on the affected system, resulting in full compromise of confidentiality, integrity, and availability. The attack requires high privileges but no user interaction and changes scope, enabling the injected commands to affect components beyond the initial process.
The vulnerability is fixed in Cacti 1.2.29. The project has published a corresponding commit and security advisory, while Debian has released updates via its LTS announcement channels to address affected packages. The current EPSS score of 0.7007, with a recorded peak of 0.7221, indicates sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2878
Vulnerability details
Cacti is an open source performance and fault management framework. Due to a flaw in multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response. When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each OID will…
more
be used as a key in an array that is used as part of a system command, causing a command execution vulnerability. This vulnerability is fixed in 1.2.29.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability in Cacti web app enables exploitation of public-facing application for initial access and arbitrary system command execution via Unix shell.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates identification, reporting, and correction of the command injection flaw in Cacti via timely patching to version 1.2.29.
Requires validation of SNMP OID inputs to prevent malformed OIDs from being processed into system commands by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes().
Enforces least privilege for authenticated high-privilege users, limiting the scope and impact of command execution even if malformed OIDs are injected.