cbcvebase.
CVE-2025-66399
published 2025-12-02

CVE-2025-66399: Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw in the SNMP device configuration…

PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
10.76%
95.3th percentile
Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw in the SNMP device configuration functionality. An authenticated Cacti user can supply crafted SNMP community strings containing control characters (including newlines) that are accepted, stored verbatim in the database, and later embedded into backend SNMP operations. In environments where downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries, this can lead to unintended command execution with the privileges of the Cacti process. This vulnerability is fixed in 1.2.29.

Affected

4 ranges
VendorProductVersion rangeFixed in
cacticacti< 1.2.291.2.29
cacticacti>= 0 < 1.2.30+ds1-11.2.30+ds1-1
cacticacti>= 0 < 1.2.30+ds1-11.2.30+ds1-1
debiancacti< cacti 1.2.30+ds1-1 (forky)cacti 1.2.30+ds1-1 (forky)

Detection & IOCsextracted from sources · hover to see the quote

path/cacti/host.php
urlgithub.com/Cacti/cacti/security/advisories/GHSA-c7rr-2h93-7gjf
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cacti host.php snmp_community Parameter Command Injection Attempt (CVE-2025-66399)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:15; content:"/cacti/host.php"; fast_pattern; http.request_body; content:"snmp_community|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/Cacti/cacti/security/advisories/GHSA-c7rr-2h93-7gjf; reference:cve,2025-66399; classtype:attempted-admin; sid:2065991; rev:1; metadata:affected_product Cacti, attack_target Web_Server, tls_state plaintext, created_at 2025_12_02, cve CVE_2025_66399, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect HTTP POST requests to /cacti/host.php where the request body contains the snmp_community parameter (snmp_community=) followed by control characters used as command separators: semicolon (;/%3B), newline (\x0a/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
  • The injection vector is the SNMP community string field in Cacti's device/host configuration. Monitor for crafted SNMP community strings containing newline characters (\n / %0A) or other shell metacharacters being submitted to the backend.
  • The vulnerability requires authentication; prioritize monitoring for anomalous POST activity from authenticated sessions to host.php, especially from accounts with device management privileges.
  • In environments where downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries, monitor for unexpected process spawning from the Cacti process after SNMP polling operations.
  • ·The Snort/Suricata rule uses `tls_state plaintext` metadata, meaning it only fires on unencrypted HTTP traffic. Deployments running Cacti behind HTTPS/TLS without SSL inspection will NOT be detected by this rule.
  • ·Exploitation requires an authenticated session; unauthenticated access attempts will not trigger this vulnerability. Ensure authentication logs are correlated with any host.php POST detections.
  • ·The vulnerability is only exploitable if downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries. Not all SNMP backend configurations are affected equally.
  • ·The fix is in Cacti 1.2.29 (upstream) and 1.2.30+ds1-1 (Debian forky/sid/trixie). Debian bookworm and bullseye remain open/unpatched as of the tracker data.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv7.4HIGH
vendor_debian7.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.