Vulnerabilities reported in Cacti framework, one critical remote code execution
Take action: If you are using Cacti monitoring framework, review this advisory. It's not a panic mode patch since exploiting requires valid credentials. So you have some time to plan out a patch. But make sure you do patch, because any user will eventually be hacked.
Learn More
Cacti, an open-source monitoring and fault management framework, is reporting two vulnerabilities affecting all versions prior to 1.2.29. The most severe of these vulnerabilities could enable authenticated attackers to execute remote code and manipulate sensitive data.
- CVE-2025-22604 (CVSS score 9.1), is a flaw in the multi-line SNMP result parser. It vulnerability allows authenticated users to inject malformed Object Identifiers (OIDs) into the system. When these malformed OIDs are processed by specific functions (ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes()), they trigger a command execution vulnerability by using parts of the OID as keys in a system command array.
- CVE-2025-24367 (CVSS score 7.2), is an Arbitrary File Creation vulnerability that could also lead to remote code execution. This flaw allows authenticated Cacti users to exploit graph creation and graph template functionality to create arbitrary PHP scripts within the application's web root, potentially enabling remote code execution on the server.
Both vulnerabilities require authentication to exploit, which somewhat limits their potential impact. However, once authenticated, an attacker could execute remote code on the server, create arbitrary PHP scripts in the web root, access, modify, or delete sensitive data and manipulate system commands through OID injection.
Users of affected Cacti installations should immediately upgrade to version 1.2.29 or later, which contains patches for both vulnerabilities.
