CVE-2025-66399
📋 TL;DR
This vulnerability allows authenticated Cacti users to inject malicious SNMP community strings containing control characters like newlines. When these strings are used in backend SNMP operations, they can be interpreted as command boundaries by downstream tooling, potentially leading to command execution with Cacti process privileges. Organizations running Cacti versions before 1.2.29 with authenticated user access are affected.
💻 Affected Systems
- Cacti
📦 What is this software?
Cacti by Cacti
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attacker achieves remote code execution on the Cacti server with the privileges of the Cacti process, potentially leading to full system compromise, data theft, or lateral movement.
Likely Case
Authenticated user with malicious intent executes arbitrary commands on the Cacti server, potentially disrupting monitoring services, accessing sensitive data, or establishing persistence.
If Mitigated
Attack is prevented through proper input validation in patched versions, or limited by network segmentation and least privilege controls in unpatched environments.
🎯 Exploit Status
Exploitation requires authenticated access to Cacti and depends on downstream SNMP tooling behavior. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.29
Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-c7rr-2h93-7gjf
Restart Required: Yes
Instructions:
1. Backup your Cacti database and configuration files. 2. Download Cacti 1.2.29 from the official repository. 3. Follow the Cacti upgrade documentation to replace files and run database updates. 4. Restart the web server and Cacti poller services.
🔧 Temporary Workarounds
Restrict SNMP Device Configuration Access
allLimit which authenticated users can configure SNMP devices to only trusted administrators.
# Review and modify Cacti user permissions in the web interface
# Remove 'Device Management' permissions from non-administrative users
Input Validation Filter
allImplement custom validation to reject SNMP community strings containing control characters.
# Add validation in Cacti's SNMP configuration code to filter newlines and control characters
# Example regex: /[\x00-\x1F\x7F]/
🧯 If You Can't Patch
- Restrict network access to Cacti web interface to only trusted administrative networks.
- Implement strict monitoring and alerting for unusual SNMP configuration changes or command execution attempts.
🔍 How to Verify
Check if Vulnerable:
Check your Cacti version via the web interface (Console → System Utilities → About) or by examining the Cacti source files for version information.Check Version:
grep '\$version' /path/to/cacti/include/global.php | head -1Verify Fix Applied:
After upgrading, verify the version shows 1.2.29 or later in the About page, and test that SNMP community strings with newlines are rejected during device configuration.📡 Detection & Monitoring
Log Indicators:
- Unusual SNMP device configuration changes in Cacti logs
- Failed login attempts followed by successful authentication and SNMP configuration
- Unexpected command execution in system logs from the Cacti user
Network Indicators:
- Unusual outbound connections from the Cacti server following SNMP configuration changes
- SNMP traffic to unexpected destinations
SIEM Query:
source="cacti.log" AND ("SNMP" AND "community") OR ("device" AND "configure")