A critical command injection vulnerability in the open-source network monitoring tool Cacti allows authenticated attackers to execute arbitrary code remotely, potentially compromising the entire monitoring infrastructure.
The flaw, tracked as CVE-2025-66399, affects all versions up to 1.2.28 and stems from inadequate input validation in the SNMP device configuration functionality.
The vulnerability resides in the device management interface (host.php), where SNMP community strings are processed.
Flaw Allows Remote Execution of Arbitrary Commands
When authenticated users configure monitoring devices, the application fails to filter control characters, including newlines, from the snmp_community field.
The get_nfilter_request_var() function retrieves user input without stripping newline characters or validating shell metacharacters.
| Detail | Data |
|---|---|
| CVE ID | CVE-2025-66399 |
| Affected Product | Cacti (PHP-based network monitoring) |
| CVSS Severity | High |
| CWE Category | CWE-20: Improper Input Validation |
| Attack Vector | Network-based, requires authentication |
The subsequent form_input_validate() call uses an empty regex pattern that intentionally turns off filtering.
This sanitization bypass allows malicious actors to inject newline-separated commands that are stored verbatim in the database.
When Cacti later executes backend SNMP operations, downstream SNMP tooling may interpret these newline-separated tokens as command boundaries.
Triggering unintended command execution with the privileges of the Cacti process. Successful exploitation enables attackers to execute system-level commands with the same privileges as the Cacti monitoring process.
Under typical deployment scenarios, this can lead to unauthorized modification of monitoring data.
Execution of arbitrary system commands, unauthorized file writes, and potential full compromise of the Cacti server.
The attack requires only low-privileged authenticated access, making it particularly dangerous in multi-user environments where different teams manage monitoring configurations.
According to the Cacti advisory with PoC, attackers can embed bash commands within the SNMP community field. This establishes reverse shells to external servers, effectively granting complete control over the monitoring system.
The vulnerability is especially concerning because Cacti often integrates with critical network infrastructure and may have elevated access to managed devices.
Administrators should immediately upgrade to Cacti version 1.2.29, which implements proper input validation for SNMP community strings.
Organizations unable to patch promptly should restrict access to the device configuration interface and audit existing SNMP community strings for anomalous content.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
