CVE-2025-22604: 
Cacti vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-22604) was discovered in Cacti, an open-source performance and fault management framework. The vulnerability, disclosed on January 26, 2025, exists in the multi-line SNMP result parser where authenticated users can inject malformed OIDs in the response. This vulnerability affects all versions of Cacti up to and including version 1.2.28, with a fix available in version 1.2.29. The vulnerability has been assigned a CVSS score of 9.1 (Critical) (GitHub Advisory, NVD).

The vulnerability stems from a flaw in the multi-line SNMP result parser where OIDs are not properly filtered. When processed by ssnetsnmpdiskio() or ssnetsnmpdiskbytes() functions, a part of each OID is used as a key in an array that becomes part of a system command. The issue occurs in cactisnmpwalk() where execintoarray() executes commands and reads results with multiple lines as an array. While the values are filtered during processing, the OIDs themselves remain unfiltered, leading to potential command injection. The vulnerability is tracked as CWE-78 (Improper Neutralization of Special Elements used in an OS Command) (GitHub Advisory).

The vulnerability enables authenticated users with device management permissions to execute arbitrary code on the server. Successful exploitation could allow attackers to steal, edit, or delete sensitive data from the affected systems. The critical CVSS score of 9.1 reflects the severe potential impact on system confidentiality, integrity, and availability (Hacker News, Security Online).

The vulnerability has been patched in Cacti version 1.2.29. Organizations using affected versions are strongly urged to upgrade to the latest version immediately to mitigate the risk of exploitation. No alternative workarounds have been provided (ASEC, Hacker News).