Command Execution Risk Found in Cacti’s SNMP Handling

A newly disclosed vulnerability in the open-source Cacti network monitoring platform allows authenticated users to execute arbitrary system commands remotely, putting entire monitoring environments at risk. 

The command injection flaw affects all versions up to 1.2.28 and stems from improper input validation in Cacti’s SNMP device configuration interface. 

The vulnerability “… can lead to unintended command execution with the privileges of the Cacti process,” said Cacti in its advisory.

Cacti’s SNMP Field Vulnerability Explained

The flaw CVE-2025-6639 originates in host.php, the component responsible for handling SNMP community strings when Cacti administrators add or modify monitored devices. 

The vulnerable code path begins with Cacti retrieving user-supplied input through the get_nfilter_request_var() function, which does not strip newline characters, semicolons, pipes, backticks, or other shell metacharacters. 

This oversight already lets dangerous input pass through, and the issue is compounded by a call to form_input_validate() using an empty regex, effectively disabling sanitization altogether.

Because of this double failure, an attacker can embed newline-delimited shell commands inside the SNMP community field. These malicious payloads are then stored unaltered in the Cacti database. 

When Cacti later executes SNMP polling or discovery operations, it constructs backend system commands using these stored values. 

The underlying command-line utilities interpret newline characters as command separators, causing each injected payload to execute as a separate shell command with the privileges of the Cacti process.

Proof-of-concept (PoC) exploits confirm that attackers can inject Bash commands into the SNMP community string to spawn reverse shells, exfiltrate configuration files, create new system users, or drop persistent backdoors. 

In real life deployments — where Cacti often runs with elevated privileges to access network monitoring tools — successful exploitation may allow attackers to alter monitoring telemetry, plant malicious binaries, pivot through trusted network paths, or take full control of the Cacti server. 

Essential Steps to Harden Cacti Deployments

With Cacti’s command injection flaw posing a serious risk to monitoring infrastructure, organizations should move quickly to harden their deployments and reduce exposure. 

• Update Cacti to version 1.2.29 or later to fully patch the injection flaw.
• Restrict access to the Cacti device configuration interface to trusted administrative users.
• Run Cacti under a non-privileged service account and apply strict RBAC to limit modification of device settings.
• Audit SNMP community strings and Cacti database entries for suspicious or malformed input.
• Use WAF or server-side input filters to block newline characters and shell metacharacters in SNMP fields.
• Monitor Cacti child processes, command execution, and outbound network connections for signs of exploitation.
• Segment Cacti servers from sensitive systems and restrict outbound connectivity to reduce lateral movement and data exfiltration risk.

Together, these steps build cyber resilience by reducing attack pathways and strengthening system integrity.

This vulnerability underscores a long-standing weakness in legacy and open-source network management tools — administrative interfaces often process complex, high-privilege configuration fields that become execution vectors when input validation breaks down. 

As threat actors target monitoring platforms to gain stealth, persistence, and lateral movement opportunities, vulnerabilities like this highlight the need for hardened admin workflows and strict sanitization at every entry point. 

It’s a clear reminder that modern environments require zero-trust controls that assume every input, identity, and system could be compromised.