CVE-2025-22604
📋 TL;DR
CVE-2025-22604 is a command injection vulnerability in Cacti's SNMP result parser that allows authenticated users to execute arbitrary system commands. The vulnerability affects Cacti versions before 1.2.29 and requires authenticated access to exploit. This enables attackers with valid credentials to potentially compromise the underlying server.
💻 Affected Systems
- Cacti
📦 What is this software?
Cacti by Cacti
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root/administrator privileges, allowing complete control over the server, data exfiltration, and lateral movement within the network.
Likely Case
Authenticated attackers gain command execution with web server user privileges, enabling file system access, data theft, and potential privilege escalation.
If Mitigated
With proper network segmentation and least privilege, impact limited to the Cacti application server with minimal access to sensitive systems.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. The vulnerability is in core SNMP parsing functions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.29
Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-c5j8-jxj3-hh36
Restart Required: No
Instructions:
1. Backup your Cacti database and configuration files. 2. Download Cacti 1.2.29 from the official repository. 3. Follow the upgrade instructions at https://docs.cacti.net/Upgrading. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Disable SNMP polling
allTemporarily disable SNMP data collection to prevent exploitation
# Edit Cacti configuration to disable SNMP polling
# Or disable SNMP data sources in the web interface
Restrict user access
allLimit Cacti access to only necessary administrative users
# Configure web server authentication
# Review and remove unnecessary user accounts
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Cacti servers from critical systems
- Enforce strong authentication policies and monitor for suspicious user activity
🔍 How to Verify
Check if Vulnerable:
Check Cacti version via web interface (Console -> About) or command line: grep 'version' /path/to/cacti/include/global.phpCheck Version:
grep "\$version" /path/to/cacti/include/global.php | head -1Verify Fix Applied:
Confirm version is 1.2.29 or later and verify the commit c7e4ee798d263a3209ae6e7ba182c7b65284d8f0 is present📡 Detection & Monitoring
Log Indicators:
- Unusual SNMP OID patterns in Cacti logs
- Suspicious system commands executed from web server process
- Failed authentication attempts followed by successful logins
Network Indicators:
- Unexpected outbound connections from Cacti server
- SNMP traffic containing malformed OIDs
SIEM Query:
source="cacti.log" AND ("ss_net_snmp_disk_io" OR "ss_net_snmp_disk_bytes") AND ("OID" OR "command")