A critical security flaw has been disclosed in the Cacti open-source network monitoring and fault management framework that could allow an authenticated attacker to achieve remote code execution on susceptible instances.
The flaw, tracked as CVE-2025-22604, carries a CVSS score of 9.1 out of a maximum of 10.0.
“Due to a flaw in the multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response,” the project maintainers said in an advisory released this week.
“When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each OID will be used as a key in an array that is used as part of a system command, causing a command execution vulnerability.”
Successful exploitation of the vulnerability could permit an authenticated user with device management permissions to execute arbitrary code in the server, and steal, edit, or delete sensitive data.
CVE-2025-22604 affects all versions of the software prior to and including 1.2.28. It has been addressed in version 1.2.29. A security researcher who goes by the online alias u32i has been credited with discovering and reporting the flaw.
Also addressed in the latest version is CVE-2025-24367 (CVSS score: 7.2), which could permit an authenticated attacker to create arbitrary PHP scripts in the web root of the application by abusing the graph creation and graph template functionality, leading to remote code execution.
With security vulnerabilities in Cacti having come under active exploitation in the past, organizations relying on the software for network monitoring should prioritize applying the necessary patches to mitigate the risk of compromise.
