CVE-2025-22604

Critical CVSS: 9.1

Cacti is an open source performance and fault management framework. Due to a flaw in multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response. When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each OID will be used as a key in an array that is used as part of a system command, causing a command execution vulnerability. This vulnerability is fixed in 1.2.29.

Vendor

Cacti

Product

Cacti

CWE

CWE-78

Yayın Tarihi

2025-01-27 17:15:17

Güncelleme

2025-11-03 21:19:13

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-78 Cacti CRITICAL Cacti 2025

Referanslar

https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0 https://github.com/Cacti/cacti/security/advisories/GHSA-c5j8-jxj3-hh36 https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html

Benzer Kayıtlar

High

CVE-2025-66399

Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw i…

High

CVE-2005-10004

Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. An authen…

High

CVE-2025-26520

Cacti through 1.2.29 allows SQL injection in the template function in host_templates.php via the graph_template paramete…

High

CVE-2025-24367

Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation…

Medium

CVE-2025-24368

Cacti is an open source performance and fault management framework. Some of the data stored in automation_tree_rules.php…

Medium

CVE-2024-54145

Cacti is an open source performance and fault management framework. Cacti has a SQL injection vulnerability in the get_d…