CVE-2025-22604

CVE-2025-22604 is a command injection vulnerability (CWE-78) in Cacti, an open source performance and fault management framework. The flaw stems from improper handling in the multi-line SNMP result parser, where authenticated users can inject malformed Object Identifiers (OIDs) into SNMP responses. These OIDs are processed by the ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes() functions, which use a portion of each OID as a key in an array incorporated into a system command, enabling arbitrary command execution. The vulnerability affects Cacti versions prior to 1.2.29 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

An attacker with high-privilege authenticated access to the Cacti instance can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting and injecting malformed OIDs via SNMP responses, the attacker tricks the parser into constructing and executing arbitrary system commands on the underlying host. Successful exploitation grants full control over the system, including high confidentiality, integrity, and availability impacts, with a changed scope that may propagate effects beyond the vulnerable component.

Official advisories recommend updating to Cacti version 1.2.29, which includes a fix via commit c7e4ee798d263a3209ae6e7ba182c7b65284d8f0. The GitHub Security Advisory (GHSA-c5j8-jxj3-hh36) details the issue and patch, while Debian LTS announcements address backported fixes for affected distributions. No workarounds are specified beyond applying the update.