CVE-2025-22604

Name

CVE-2025-22604

Description

Cacti is an open source performance and fault management framework. Due to a flaw in multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response. When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each OID will be used as a key in an array that is used as part of a system command, causing a command execution vulnerability. This vulnerability is fixed in 1.2.29.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0
CONFIRM	https://github.com/Cacti/cacti/security/advisories/GHSA-c5j8-jxj3-hh36

CPE URI	Source package	Min version	Max version
	cacti	>= 0	<= 1.2.8
`cpe:2.3:a:cacti:cacti::::::::`	cacti	>= None	< 1.2.29

Source package	Branch	Version	Maintainer	Status
cacti	edge-community	1.2.29-r0	None	fixed
cacti	3.21-community	1.2.29-r0	None	fixed

References

Match rules

Vulnerable and fixed packages