Critical Cacti Vulnerability Enables Remote Code Execution
A significant security flaw has been identified in Cacti, the widely utilized open-source network monitoring tool. This vulnerability, cataloged as CVE-2025-66399, permits authenticated users to execute arbitrary code remotely, posing a substantial risk to network infrastructures.
Understanding the Vulnerability
Cacti serves as a comprehensive solution for network graphing and monitoring, offering administrators insights into network performance and health. The identified flaw affects all versions up to 1.2.28 and originates from insufficient input validation within the Simple Network Management Protocol (SNMP) device configuration functionality.
The core of the issue lies in the device management interface, specifically within the `host.php` file, where SNMP community strings are processed. When users configure monitoring devices, the application fails to adequately filter control characters, such as newlines, from the `snmp_community` field.
Technical Breakdown
The function `get_nfilter_request_var()` retrieves user input without stripping newline characters or validating shell metacharacters. Subsequently, the `form_input_validate()` function employs an empty regex pattern, effectively disabling filtering mechanisms.
This oversight allows malicious actors to inject newline-separated commands that are stored directly in the database. When Cacti executes backend SNMP operations, the SNMP tools may interpret these newline-separated tokens as command boundaries, leading to unintended command execution with the privileges of the Cacti process.
Potential Impact
Exploitation of this vulnerability enables attackers to:
– Modify monitoring data without authorization.
– Execute arbitrary system commands.
– Write unauthorized files.
– Potentially gain full control over the Cacti server.
Given that only low-privileged authenticated access is required, this flaw is particularly concerning in environments where multiple teams manage monitoring configurations.
Exploitation Details
According to the Cacti advisory, attackers can embed bash commands within the SNMP community field. This technique can establish reverse shells to external servers, effectively granting complete control over the monitoring system.
The severity of this vulnerability is heightened by Cacti’s integration with critical network infrastructure, often possessing elevated access to managed devices.
Mitigation Measures
Administrators are strongly advised to upgrade to Cacti version 1.2.29, which addresses this input validation issue. For organizations unable to apply the patch immediately, it is recommended to:
– Restrict access to the device configuration interface.
– Audit existing SNMP community strings for any anomalous content.
Broader Context
Command injection vulnerabilities are not unique to Cacti. Similar issues have been identified in other network management tools:
– Palo Alto Networks PAN-OS: A high-severity command injection vulnerability (CVE-2024-8686) was disclosed, allowing authenticated administrators to execute arbitrary code with root privileges on the firewall.
– SonicWall SMA100: An OS command injection vulnerability (CVE-2023-44221) was actively exploited, enabling remote authenticated attackers with administrative privileges to inject arbitrary commands.
– N-able N-Central: Two critical vulnerabilities (CVE-2025-8875 and CVE-2025-8876) were exploited, allowing remote code execution through deserialization and command injection attacks.
These instances underscore the critical importance of regular security assessments and prompt patch management in network monitoring tools.
Conclusion
The discovery of CVE-2025-66399 in Cacti highlights the ongoing challenges in securing network monitoring systems. Administrators must remain vigilant, ensuring timely updates and implementing robust security practices to safeguard their infrastructures against such vulnerabilities.
