{"id":8953,"date":"2025-12-05T10:03:32","date_gmt":"2025-12-05T10:03:32","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/12\/05\/cacti-command-injection-vulnerability-let-attackers-execute-malicious-code-remotely\/"},"modified":"2025-12-05T10:03:32","modified_gmt":"2025-12-05T10:03:32","slug":"cacti-command-injection-vulnerability-let-attackers-execute-malicious-code-remotely","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/12\/05\/cacti-command-injection-vulnerability-let-attackers-execute-malicious-code-remotely\/","title":{"rendered":"Cacti Command Injection Vulnerability Let Attackers Execute Malicious Code Remotely"},"content":{"rendered":"<p>    Cacti Command Injection Vulnerability Let Attackers Execute Malicious Code Remotely<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A critical command injection vulnerability in the open-source network monitoring tool Cacti allows authenticated attackers to execute arbitrary code remotely, potentially compromising the entire monitoring infrastructure.<\/p>\n<p>The flaw, tracked as CVE-2025-66399, affects all versions up to 1.2.28 and stems from inadequate input validation in the <a href=\"https:\/\/cybersecuritynews.com\/cisco-ios-and-ios-xe-snmp-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">SNMP<\/a> device configuration functionality.<\/p>\n<p>The vulnerability resides in the device management interface (host.php), where SNMP community strings are processed.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-flaw-allows-remote-execution-of-arbitrary-commands\"><strong>Flaw Allows Remote Execution of Arbitrary Commands<\/strong><\/h2>\n<p>When authenticated users configure monitoring devices, the application fails to filter control characters, including newlines, from the snmp_community field.<\/p>\n<p>The get_nfilter_request_var() function retrieves user input without stripping newline characters or validating shell metacharacters.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Detail<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Data<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>CVE ID<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2025-66399<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>Affected Product<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Cacti (PHP-based network monitoring)<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>CVSS Severity<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>CWE Category<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">CWE-20: Improper Input Validation<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>Attack Vector<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Network-based, requires authentication<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>The subsequent form_input_validate() call uses an empty regex pattern that intentionally turns off filtering.<\/p>\n<p>This sanitization bypass allows malicious actors to inject newline-separated commands that are stored verbatim in the database.<\/p>\n<p>When Cacti later executes backend SNMP operations, downstream SNMP tooling may interpret these newline-separated tokens as command boundaries.<\/p>\n<p>Triggering unintended command execution with the privileges of the Cacti process. Successful exploitation enables attackers to execute system-level commands with the <span style=\"box-sizing: border-box; margin: 0px; padding: 0px;\">same\u00a0privileges<\/span> as the Cacti monitoring process.<\/p>\n<p>Under typical deployment scenarios, this can lead to unauthorized modification of monitoring data.<\/p>\n<p>Execution of arbitrary system commands, unauthorized file writes, and potential full compromise of the Cacti server.<\/p>\n<p>The attack requires only low-privileged authenticated access, making it particularly dangerous in multi-user environments where different teams manage monitoring configurations.<\/p>\n<p>According to the Cacti <a href=\"https:\/\/github.com\/Cacti\/cacti\/security\/advisories\/GHSA-c7rr-2h93-7gjf\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">advisory<\/a> with PoC, attackers can embed bash commands within the SNMP community field. This establishes reverse shells to external servers, effectively granting complete control over the monitoring system.<\/p>\n<p>The vulnerability is especially concerning because Cacti often integrates with critical network infrastructure and may have elevated access to managed devices.<\/p>\n<p>Administrators should immediately upgrade to Cacti version 1.2.29, which implements proper input validation for SNMP community strings.<\/p>\n<p>Organizations unable to patch promptly should restrict access to the device configuration interface and audit existing SNMP community strings for anomalous content.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/cacti-command-injection-vulnerability\/\">Cacti Command Injection Vulnerability Let Attackers Execute Malicious Code Remotely<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/cacti-command-injection-vulnerability\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cacti Command Injection Vulnerability Let Attackers Execute Malicious Code Remotely A critical command injection vulnerability in the open-source network monitoring tool Cacti allows authenticated attackers to execute arbitrary code remotely, potentially compromising the entire monitoring infrastructure. The flaw, tracked as CVE-2025-66399, affects all versions up to 1.2.28 and stems from inadequate input validation in the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-8953","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8953"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=8953"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8953\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=8953"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=8953"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=8953"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}