CVE-2025-66399
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-02

Last updated on: 2025-12-05

Assigner: GitHub, Inc.

Description
Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw in the SNMP device configuration functionality. An authenticated Cacti user can supply crafted SNMP community strings containing control characters (including newlines) that are accepted, stored verbatim in the database, and later embedded into backend SNMP operations. In environments where downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries, this can lead to unintended command execution with the privileges of the Cacti process. This vulnerability is fixed in 1.2.29.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-02
Last Modified
2025-12-05
Generated
2026-06-16
AI Q&A
2025-12-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66399
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cacti cacti 1.2.29
cacti cacti to 1.2.29 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an input-validation flaw in the SNMP device configuration functionality of Cacti versions prior to 1.2.29. An authenticated user can supply specially crafted SNMP community strings containing control characters such as newlines. These strings are stored verbatim in the database and later used in backend SNMP operations. In some environments, where SNMP tools interpret newline-separated tokens as command boundaries, this can lead to unintended command execution with the privileges of the Cacti process.

Impact Analysis

The vulnerability can lead to unintended command execution on the system running Cacti with the privileges of the Cacti process. This means an authenticated user could potentially execute arbitrary commands, which could compromise the system's security and integrity.

Mitigation Strategies

Upgrade Cacti to version 1.2.29 or later, where this input-validation flaw in the SNMP device configuration functionality is fixed. Additionally, review and sanitize SNMP community strings to ensure they do not contain control characters such as newlines that could be interpreted as command boundaries.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66399. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart