Introductory Paragraph: In this detailed post, we will be discussing a crucial security vulnerability (CVE-2025-22604) discovered in Cacti, an open-source performance and fault management framework. This flaw affects the multi-line SNMP result parser and allows authenticated users to inject malformed OIDs in the response, potentially leading to command execution vulnerabilities. We will dive into the exploit details and provide a code snippet for better understanding. Furthermore, we will discuss how the vulnerability is fixed in Cacti 1.2.29.
Background: Cacti is a robust open-source, network monitoring and graphing software that facilitates administrators to collect data from various data sources, such as SNMP, to visualize performance metrics. However, the recent discovery of CVE-2025-22604 vulnerability puts network security at risk. Reference: Cacti Homepage
Exploit Details: The vulnerability arises from a flaw in the multi-line SNMP result parser. Authenticated users can inject malformed OIDs in the SNMP response, which the parser fails to process correctly. Functions ss_net_snmp_disk_io() and ss_net_snmp_disk_bytes() end up using a part of each OID as a key in an array which is then used to construct a system command. This oversight leaves the system vulnerable to command execution by malicious users.
Code Snippet: The following code snippet demonstrates how the malformed OIDs could be created and how they are processed in the vulnerable functions.
// Malformed OID example:
$malformed_oid = "iso.3.6.1.4.1.2021.9.1.100${IFS}1.9.1.11;" . "$injected_payload" . ";";
// ss_net_snmp_disk_io()
function ss_net_snmp_disk_io($hostname, $snmp_community, ...) {
...
$payload = "snmpget -t 2 -r 5 -m '' -v 1 -O qv -c $snmp_community $hostname $malformed_oid";
...
}
// ss_net_snmp_disk_bytes()
function ss_net_snmp_disk_bytes($hostname, $snmp_community, ...){
...
$payload = "snmpget -t 2 -r 5 -m '' -v 1 -O qv -c $snmp_community $hostname $malformed_oid";
...
}
Mitigation: The Cacti developers have addressed this vulnerability in version 1.2.29, and users are strongly advised to update their Cacti installations as soon as possible. Cacti Changelog (1.2.29)
Wrapping Up: In this post, we discussed the critical CVE-2025-22604 vulnerability in Cacti and its potential impact. We provided a code snippet to demonstrate possible exploit scenarios and pointed out the vulnerable functions. To secure their networks, Cacti users should prioritize updating their installations to version 1.2.29.
Timeline
Published on: 01/27/2025 17:15:17 UTC