Critical Cacti Vulnerability Enables Remote Code Execution
A significant security flaw has been identified in Cacti, the widely utilized open-source network monitoring tool. This vulnerability, designated as CVE-2025-66399, permits authenticated users to execute arbitrary code remotely, posing a substantial risk to network infrastructures.
Understanding the Vulnerability
Cacti serves as a comprehensive solution for network graphing and monitoring, offering administrators insights into network performance and health. The identified vulnerability affects all versions up to 1.2.28 and originates from insufficient input validation within the SNMP (Simple Network Management Protocol) device configuration functionality.
The core issue lies in the device management interface, specifically within the `host.php` file, where SNMP community strings are processed. During device configuration, the application fails to adequately filter control characters, such as newlines, from the `snmp_community` field. The function `get_nfilter_request_var()` retrieves user input without stripping newline characters or validating shell metacharacters.
Subsequently, the `form_input_validate()` function employs an empty regex pattern, effectively disabling filtering mechanisms. This oversight allows malicious actors to inject newline-separated commands that are stored directly in the database. When Cacti later performs backend SNMP operations, these injected commands can be executed with the privileges of the Cacti process, leading to unauthorized command execution.
Potential Impact
Exploitation of this vulnerability enables attackers to execute system-level commands with the same privileges as the Cacti monitoring process. This can result in:
– Unauthorized Modification of Monitoring Data: Attackers can alter network monitoring information, leading to inaccurate reporting and potential mismanagement of network resources.
– Execution of Arbitrary System Commands: Malicious actors can run commands that may disrupt services, delete critical files, or install unauthorized software.
– Full Compromise of the Cacti Server: In severe cases, attackers could gain complete control over the server hosting Cacti, allowing them to pivot to other parts of the network.
The risk is heightened in environments where multiple users manage monitoring configurations, as even low-privileged authenticated users can exploit this flaw.
Proof of Concept
Security researchers have demonstrated that by embedding bash commands within the SNMP community field, attackers can establish reverse shells to external servers. This effectively grants them full control over the monitoring system, underscoring the critical nature of this vulnerability.
Mitigation Measures
To address this security issue, administrators are strongly advised to upgrade to Cacti version 1.2.29, which includes proper input validation for SNMP community strings. For organizations unable to apply the patch immediately, the following interim measures are recommended:
– Restrict Access: Limit access to the device configuration interface to trusted personnel only.
– Audit SNMP Community Strings: Review existing SNMP community strings for any anomalous or unauthorized content.
– Monitor System Logs: Regularly check system logs for unusual activities that may indicate exploitation attempts.
Conclusion
The discovery of CVE-2025-66399 in Cacti highlights the importance of rigorous input validation and prompt patch management in network monitoring tools. Administrators must take immediate action to secure their systems against potential exploitation, ensuring the integrity and reliability of their network monitoring infrastructure.
