Cacti is an open source performance and fault management framework. Due to a flaw in the multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response. When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each OID will be used as a key in an array that is used as part of a system command, causing a command execution vulnerability. This vulnerability is fixed in version 1.2.29.
Given the CVSS score of 9.1, this vulnerability is considered critical. Organizations using Cacti should understand the severe implications of this flaw, as it allows attackers to execute arbitrary commands on the server, potentially leading to a full compromise of the system.
Risk to organizations includes unauthorized access and manipulation of sensitive data, impacting business operations and customer trust. The urgency for defenders is high, and organizations should prioritize patching immediately.
Currently, there is evidence of the vulnerability being actively discussed, with a proof of concept available on GitHub. Organizations must remain vigilant and apply the necessary updates to mitigate any potential exploitation.
Vulnerability Details
The vulnerability allows authenticated users to exploit a flaw in the SNMP parser of Cacti, potentially leading to command execution. The CVSS score of 9.1 indicates a critical severity level, highlighting the need for immediate action. The vulnerability affects all versions of Cacti prior to 1.2.29.
Technical Analysis
The root cause of this vulnerability is located in the SNMP multi-line result parser. Authenticated users can inject malformed OIDs which are then misused as keys in command execution contexts. The attack vector is network-based, requiring high privileges for exploitation. The attack complexity is low, and no user interaction is needed, making this vulnerability particularly dangerous.
Risk & Impact Analysis
The real-world risk involves potential unauthorized access and full system compromise, impacting both confidentiality and integrity of data. Organizations that fail to patch this vulnerability could face significant operational disruptions and loss of customer confidence. Given the critical nature of the exploit, it is essential to address this vulnerability as part of the priority patch cycle.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | Yes |
Public PoC | Yes |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
All versions of Cacti prior to 1.2.29 are affected by this vulnerability. Organizations must ensure they upgrade to this version or later to mitigate the risks associated with this vulnerability.
Mitigation & Remediation
Organizations should patch their installations of Cacti to version 1.2.29 or later to remediate this vulnerability. If immediate patching is not possible, consider implementing network controls to limit access to the application and monitoring for unusual activity. Additional security measures should include reviewing user access and ensuring that only authorized personnel have access to critical systems. For comprehensive security assessments, organizations can utilize penetration testing services to validate the security posture.
Detection Guidance
To detect potential exploitation attempts, organizations should monitor logs for unusual SNMP request patterns and system command execution. Behavioral anomalies may include unexpected changes in system performance or unauthorized access attempts. Network signatures should be reviewed to identify any unauthorized communications attempting to exploit this vulnerability.
AppSecure Threat Intelligence Insight
The long-term significance of CVE-2025-22604 highlights the ongoing risks associated with vulnerabilities in widely used open source frameworks. Security teams should analyze patterns from this incident to bolster defenses against similar vulnerabilities. Lessons learned include the importance of maintaining timely updates and monitoring systems for potential exploitation. As a strategic takeaway, organizations should prioritize proactive security measures to address vulnerabilities before they can be exploited.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)