Main Vulnerability Database Vulnerabilities #VU118996

#VU118996 Command injection in Cacti - CVE-2025-66399

Published: December 2, 2025

Vulnerability identifier: #VU118996

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-66399

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Cacti

Software vendor:
The Cacti Group, Inc.

Description

The vulnerability allows a remote user to execute arbitrary commands on the system.

The vulnerability exists due to insufficient input validation whenhandling newline characters. A remote user can supply crafted SNMP community strings containing control characters that are accepted, stored verbatim in the database, and later embedded into backend SNMP operations.

Remediation

Install updates from vendor's website.

External links

https://github.com/Cacti/cacti/security/advisories/GHSA-c7rr-2h93-7gjf

#VU118996 Command injection in Cacti - CVE-2025-66399

Description

Remediation

External links

Please verify you're human