FlagThis

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-22604, has been discovered in the Cacti network monitoring framework. This flaw, with a CVSS score of 9.1, allows authenticated users who possess device management permissions to execute arbitrary code on the server. The vulnerability stems from a flaw in the multi-line SNMP result parser which allows attackers to inject malicious Object Identifiers (OIDs) into SNMP responses. When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), these injected OIDs can be used to execute system commands. A proof of concept (PoC) exploit for the vulnerability has been publicly released.

The vulnerability resides in the cacti_snmp_walk() function, where a malformed OID can be injected. These commands are then executed through the shell_exec() function where improper quoting allows attackers to execute arbitrary shell commands. Cacti versions prior to and including 1.2.28 are affected by the vulnerability, with version 1.2.29 released to patch this flaw and another one tracked as CVE-2025-24367. Users of Cacti are advised to upgrade to the latest version to mitigate this high severity vulnerability.

ImgSrc: blogger.googleusercontent.com

References:

• gbhackers.com - PoC Exploit Released for Critical Cacti Vulnerability Let Attackers Code Remotely - 7h
• Security Risk Advisors - Authenticated RCE Vulnerability via Multi-line SNMP Responses in Cacti (CVE-2025-22604) - 7h
• Security Archives - Security Affairs - Critical remote code execution bug found in Cacti framework - 7h
• The Hacker News - Critical Cacti Security Flaw (CVE-2025-22604) Enables Remote Code Execution - 7h

Classification:

• HashTags: Cacti RCE Vulnerability
• Company: Cacti
• Target: Cacti servers
• Product: Cacti
• Feature: Remote Code Execution
• Type: Vulnerability
• Severity: Critical