Within the framework of the open source network monitoring, the CACTI malfunction and malfunction management was disclosed by a critical lack of safety, which can allow the assailant check to achieve remote code in sensitive instances.
The disadvantage, which is tracked as the CVE-2025-22604, carries the CVSS 9.1 with a maximum of 10.0.
“Due to the lack of many SNMP analysis, authentified users can enter the wrong OID in return,”-supports the project – Note In an advisory issue released this week.
“When processing ss_net_snmp_disk_io () or ss_net_snmp_disk_bytes () part of each OID will be used as a key in an array used within the system team that causes the team vulnerability.”
Successful vulnerability can allow the user conducted with the devices management permits to execute an arbitrary code on the server and steal, edit or delete sensitive data.
CVE-2025-22604 affects all versions of the software before and including 1.2.28. It was considered in version 1.2.29. A security researcher undergoing an online U32i -Pseudonym was enrolled in the detection and report.
Also addressed in the latest version Cve-2025-24367 (CVSS assessment: 7.2), which can allow the attacker check to create arbitrary PHP scenarios at the root of the application, abusing the graphics and the functionality of the schedule template, which will lead to the remote code.
With a safety vulnerability in cacti Having got into active operation In the past, organizations based on network monitoring software should put the use of the necessary patches to mitigate the risk of a compromise.
