Input Validation Flaw in Cacti SNMP Device Configuration
CVE-2025-66399

7.4HIGH

Key Information:

Vendor: Cacti
Status: Cacti
Vendor: CVE Published:; 2 December 2025

What is CVE-2025-66399?

Cacti, an open source performance and fault management framework, contains an input-validation flaw in its SNMP device configuration feature prior to version 1.2.29. This vulnerability allows authenticated users to exploit crafted SNMP community strings that include control characters. When these strings are saved in the database, they can be misinterpreted by downstream SNMP tools that treat newline characters as command boundaries. As a result, this can enable unauthorized command execution with the privileges of the Cacti process. To mitigate this risk, users are advised to update to Cacti version 1.2.29 or later.

Affected Version(s)

cacti < 1.2.29

References

https://github.com/Cacti/cacti/security/advisories/GHSA-c...

x_refsource_CONFIRM

CVSS V4

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 2, 2025
Vulnerability Reserved
Nov 28, 2025

JSON