You are currently viewing A Thorn in your Security: RCE Flaws discovered in Cacti

A Thorn in your Security: RCE Flaws discovered in Cacti

Cacti is an open-source network monitoring and graphing tool that helps visualize and track network performance, server health, and device availability. It leverages Round Robin Database Tool (RRD Tool) to store data and generate real-time graphs, making it popular for IT infrastructure monitoring.

A critical vulnerability tracked as CVE-2025-22604, with a CVSS score of 9.1 and a highly severe vulnerability tracked as CVE-2025-24367, with a CVSS score of 7.2, exist in the Cacti open-source framework. If successfully exploited, an authenticated attacker can execute remote code on vulnerable systems, leading to theft, modification or deletion of sensitive data.

Technical Details

Before we take a look at the procedure of exploitation, let’s first try and understand the origins of the vulnerability.

  • CVE-2025-22604: A flaw in the multi-line SNMP result parser allows authenticated users to inject malformed OIDs into responses. When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a portion of each OID is used as an array key within a system command.
  • CVE-2025-24367: A flaw in the RRD tool of Cacti, enables an authenticated attacker to abuse the graph creation and graph template to functionality to create arbitrary PHP scripts in the web root of the application.

An authenticated attacker can exploit the above stated flaws to achieve RCE. The methods to achieve this was discovered by a researcher who goes by the monicker u32i. Here’s the breakdown he provided to achieve RCE by exploiting CVE-2025-22604:

To read results and execute commands with multiple lines as an array in cacti_snmp_walk(), Cacti uses  exec_into_array(). After this, Cacti parses those lines by check for an equal sign and assigning the left side of it as the OID and the right side as its value. This process filters the values but not the OIDs.

On checking with a Regex, if the line being parsed does not contain an OID, then it will set this line to the value of the previous OID without filtering. The ss_net_snmp_disk_io() function retrieves three OIDs using snmpwalk and stores the results in two variables, $names and $iops. The final segment of each OID from $names is extracted and added to an array called $indexes.

Cacti makes another snmpwalk request and checks whether the last part of each OID from this response exists in $indexes. If a match is found, the OID’s value is added to an array called $current. This array is then JSON-encoded and included in a shell command. While Cacti attempts to secure the JSON string by enclosing it in single quotes, this protection can be easily bypassed by carrying out the following steps:

  • Start an SNMP agent to transmit the payload.
  • Modify the ‘Local Linux Machine’ device port to match your agent’s port.
  • Ensure the “Net-SNMP – Combined SCSI Disk I/O” template is added to the device’s graph templates, if not already present.
  • Navigate to the graph tree and select ‘Local Linux Machine’.
  • Click “View in Realtime” on the ‘Combined SCSI Disk I/O’ graph.

Although Cacti attempts to sanitize potentially tainted user input by escaping shell metacharacters, command breakouts can take place newline characters are not removed by the sanitation logic. This leads to the spawning of separate commands on the RRD tool binary, including commands that call functionality such as RRD creation, dump, restoration, etc. This flaw can be exploited using the following steps:

  • Leverage the graph creation or graph template functionality to inject the payload into a vulnerable RRDTool switch, i.e., --right-axis-label. A POST request can be crafted to inject the payload into the graph template functionality.
  • When the RRD tool binary is called to generate graph data for the modified graph, the payload is triggered.

This way CVE-2025-24367 can be exploited and chained to achieve RCE.

Impact

The impact of CVE-2025-22604 and CVE-2025-24367 can be highly severe as successful exploitation of these issues lead to RCE, which gives the attacker complete access to write PHP scripts to the web root of the application and steal, modify and delete sensitive data.

Although the impact of the exploitation is severe and the complexity of the attacks are low, the exploitability of the vulnerabilities is not high as the attacker will require high privileges to carry out the exploitation.

Products Affected

These issues affect Cacti applications running versions up to 1.2.28.

Solution

These issues are fixed in Cacti applications with versions 1.2.29 and above.

Instantly Fix Risks with SanerNow Patch Management

SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.