CVE-2025-22604 — AI Deep Analysis Summary

🚨 **Essence**: Cacti suffers from **OS Command Injection** via flawed SNMP result parsing. 📉 **Consequences**: Attackers can inject malformed OIDs to execute arbitrary system commands.…

🛡️ **CWE**: CWE-78 (OS Command Injection). 🔍 **Flaw**: The multi-line SNMP result parser is defective. It fails to sanitize inputs, allowing malicious payloads to slip through as valid SNMP responses.

🏢 **Vendor**: Cacti Team. 📦 **Product**: Cacti (Open-source network traffic monitoring tool). ⚠️ **Affected**: All versions prior to the fix. Uses SNMPget & RRDtool for data analysis.

💀 **Privileges**: The attacker gains the **same privileges** as the Cacti service account. 📂 **Data**: Can read/write any file accessible to that user.…

🔐 **Auth Required**: YES. ⚖️ **Level**: High (PR:H). 🚫 **UI**: None required (UI:N). 👤 **User**: Must be an **authenticated user** within the Cacti application to trigger the injection via SNMP responses.

🔓 **Exploit Available**: YES. 📂 **PoC**: Publicly available on GitHub (CVE-2025-22604-Cacti-RCE). 🌍 **Status**: Wild exploitation is possible since the proof-of-concept is live.

🔍 **Check**: Scan for Cacti instances. 📡 **Test**: Attempt to inject malformed OIDs in SNMP responses if you have valid credentials. 📋 **Verify**: Check if the system parses multi-line SNMP outputs without sanitization.

✅ **Fixed**: YES. 📅 **Date**: Published Jan 27, 2025. 🛠️ **Patch**: Update Cacti to the latest version. 🔗 **Ref**: See GitHub Security Advisory GHSA-c5j8-jxj3-hh36 for the official fix commit.

🚧 **Workaround**: If patching is delayed, restrict SNMP access strictly. 🔒 **Network**: Block external SNMP traffic. 👤 **Access Control**: Ensure only trusted, authenticated users can interact with SNMP modules.…

🔥 **Priority**: CRITICAL. 🚀 **Urgency**: HIGH. 📉 **CVSS**: 9.8 (Critical). ⚡ **Action**: Patch immediately. The combination of RCE capability and public PoC makes this an immediate threat to any exposed Cacti instance.