CVE-2025-22604

critical

Description

Cacti is an open source performance and fault management framework. Due to a flaw in multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response. When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each OID will be used as a key in an array that is used as part of a system command, causing a command execution vulnerability. This vulnerability is fixed in 1.2.29.

References

https://thehackernews.com/2025/01/critical-cacti-security-flaw-cve-2025.html

https://github.com/Cacti/cacti/security/advisories/GHSA-c5j8-jxj3-hh36

https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0

Details

Source: Mitre, NVD

Published: 2025-01-27

Updated: 2025-01-27

Risk Information

CVSS v2

Base Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Severity: Critical