Wednesday, February 19, 2025
HomeCVE/vulnerabilityPoC Exploit Released for Critical Cacti Vulnerability Let Attackers Code Remotely

PoC Exploit Released for Critical Cacti Vulnerability Let Attackers Code Remotely

Published on

SIEM as a Service

Follow Us on Google News

A critical vulnerability in the Cacti performance monitoring framework tracked as CVE-2025-22604, has been disclosed, with a proof-of-concept (PoC) exploit now publicly available.

This vulnerability allows authenticated users with device management permissions to execute arbitrary code on the server by exploiting a multi-line SNMP result parser flaw.

The vulnerability has been rated as critical with a CVSS score of 10.

Technical Details

The vulnerability resides in how Cacti processes SNMP responses:

  1. SNMP Response Parsing: The cacti_snmp_walk() function uses exec_into_array() to process multi-line SNMP results into an array. Malformed Object Identifiers (OIDs) can be injected into these responses.
  2. Command Injection: The functions ss_net_snmp_disk_io() and ss_net_snmp_disk_bytes() use parts of these OIDs as keys in an array, which are later incorporated into system commands. Improper filtering of OIDs enables attackers to inject malicious commands.
  3. Shell Command Execution: The JSON-encoded data is passed to a shell command using shell_exec(), where improper quoting allows attackers to break out and execute arbitrary commands.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

PoC Exploit

Below is the step-by-step process for exploiting the vulnerability:

  1. Start an SNMP agent to send the payload.
  2. Change the “Local Linux Machine” device port in Cacti to your agent’s port.
  3. Add the “Net-SNMP – Combined SCSI Disk I/O” graph template to the device if it’s not already present.
  4. Navigate to the graph tree and select “Local Linux Machine.”
  5. Click “View in Realtime” under the “Combine SCSI Disk I/O” graph.
PoC Exploit
PoC Exploit

As per a report by Github, this sequence exploits the vulnerability by injecting malicious OIDs into SNMP responses, which are then executed on the server.

Code Example

Below is a simplified PoC code snippet that demonstrates how an attacker can exploit this vulnerability:

<?php
// Malicious SNMP agent payload
$payload = '1.3.6.1.4.1.x.x.x = STRING: "; /bin/bash -c \'echo hacked > /tmp/hacked\' ;"';
// Start SNMP agent
exec("snmptrap -v 2c -c public localhost '' $payload");
// Configure Cacti to point to malicious agent
$cacti_url = "http://target-cacti-instance";
$device_id = 1; // Replace with actual device ID
$snmp_port = 161; // Replace with malicious agent's port
// Update device configuration
exec("curl -X POST $cacti_url/device.php -d 'id=$device_id&snmp_port=$snmp_port'");
// Trigger the exploit
exec("curl $cacti_url/graph_realtime.php?device_id=$device_id");
?>

This vulnerability allows attackers to:

  • Execute arbitrary commands on the server.
  • Steal, modify, or delete sensitive data.
  • Compromise the entire system hosting Cacti.

To protect against this critical flaw:

  • Update Immediately: Upgrade to Cacti version 1.2.29 or later, which includes a patch for this issue.
  • Restrict Access: Limit access to trusted users and restrict network access to Cacti instances.
  • Monitor Logs: Regularly inspect logs for unusual activity or malformed SNMP responses.

The release of a PoC exploit for CVE-2025-22604 underscores the importance of timely patching and secure configurations for network monitoring tools like Cacti.

Organizations using vulnerable versions must act swiftly to mitigate potential risks and protect their systems from exploitation.

Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Russian Hackers Target Signal Messenger Users to Steal Sensitive Data

Russian state-aligned threat actors have intensified their efforts to compromise Signal Messenger accounts, targeting...

Hackers Exploit Jarsigner Tool to Deploy XLoader Malware

Security researchers at AhnLab Security Intelligence Center (ASEC) have uncovered a new campaign leveraging...

Hackers Converting Stolen Payment Card Data into Apple & Google Wallets

Cybercriminal groups, primarily based in China, are leveraging advanced phishing techniques and mobile wallet...

Snake Keylogger Targets Chrome, Edge, and Firefox Users in New Attack Campaign

A new variant of the Snake Keylogger, also known as 404 Keylogger, has been...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Russian Hackers Target Signal Messenger Users to Steal Sensitive Data

Russian state-aligned threat actors have intensified their efforts to compromise Signal Messenger accounts, targeting...

Hackers Exploit Jarsigner Tool to Deploy XLoader Malware

Security researchers at AhnLab Security Intelligence Center (ASEC) have uncovered a new campaign leveraging...

Hackers Converting Stolen Payment Card Data into Apple & Google Wallets

Cybercriminal groups, primarily based in China, are leveraging advanced phishing techniques and mobile wallet...