A high-severity vulnerability in Cacti, tracked as CVE-2025-22604, has been identified, allowing authenticated users to execute remote code. This flaw, with a CVSS score of 7.2, arises from a weakness in the multi-line SNMP result parser, where malformed Object Identifiers (OIDs) can be injected into responses. These malformed OIDs, when processed by functions such as `ss_net_snmp_disk_io()` or `ss_net_snmp_disk_bytes()`, are used as keys in an array, potentially leading to remote code execution.
The vulnerability, published on January 27, 2025, is classified under CWE-78, indicating an improper neutralization of special elements used in an OS command. The Exploit Prediction Scoring System (EPSS) rates this flaw at 0.722, suggesting a significant likelihood of exploitation. A proof-of-concept (PoC) exploit is already available, highlighting the urgency for organizations using Cacti to address this issue promptly.
Cacti, an open-source performance and fault management framework, is widely used for network monitoring. The presence of this vulnerability poses a substantial risk, as it could allow attackers with authenticated access to execute arbitrary commands on the server, potentially compromising the entire network infrastructure.
Organizations using Cacti should prioritize patching this vulnerability to mitigate potential exploitation. While the Security Severity Vulnerability Classification (SSVC) suggests tracking this issue, the availability of a PoC and the relatively short time-to-exploit (TTE) of 46.3 days underscore the need for immediate action. Administrators are advised to review their access controls and ensure that only trusted users have authentication credentials to minimize the risk of exploitation.
CSURFACE