CVE: CVE-2026-40079 | CVSS: 9.8 | Vendor: Cacti | Product: Cacti Network Monitoring

What Is the Vulnerability

CVE-2026-40079 is a command injection vulnerability (CWE-88) in Cacti, the widely deployed open-source network monitoring and graphing tool. It carries the maximum severity CVSS score of 9.8 — network-exploitable, no authentication required, no user interaction, low attack complexity, and full confidentiality, integrity, and availability impact.

The root cause is remarkably simple and devastating: the escape_command() function in lib/rrd.php is a complete no-op — it returns its input entirely unchanged. Every caller of this function believes they are passing sanitized data to shell command builders, but no sanitization occurs. The command line builder then passes unsanitized user-controlled input directly to the underlying operating system shell.

Any unauthenticated attacker who can reach the Cacti web interface — a system routinely deployed in network operations centers (NOCs), ISPs, hosting providers, and data centers — can execute arbitrary operating system commands. Cacti instances typically hold SNMP community strings and credentials, network device configurations, and authenticated access to managed infrastructure. A compromise of the Cacti server is effectively a compromise of the monitoring plane for the entire network under its watch.

Versions Affected

• Cacti version 1.2.30 and all prior versions

Exploited?

As of June 26, 2026, there is no confirmed active exploitation in the wild. However, with a 9.8 CVSS score, trivial exploitability (inject a semicolon followed by arbitrary commands), and Cacti’s prevalence in critical network operations environments, the window before widespread exploitation is expected to be measured in days, not weeks. The exploit is straightforward enough that proof-of-concept code is likely already circulating privately. Organizations should not wait for a CISA KEV addition or public PoC before acting.

Fix

The fix is a one-line change to restore the escaping logic in lib/rrd.php. The upstream commit is available at GitHub commit 4c09efa. Upgrade Cacti to a version beyond 1.2.30 that includes this patch. If upgrading is temporarily blocked, a hot-patch of the single affected function is feasible but should be treated as a stopgap — upgrade fully as soon as possible.

Recommendations

• Upgrade immediately: Move Cacti beyond version 1.2.30. This is not a patch you defer for a maintenance window — CVSS 9.8 combined with trivial exploitability makes this a drop-everything incident for any environment running Cacti.
• Audit RRDtool command logs: Check Cacti’s poller and RRDtool command execution logs for unusual command patterns, unexpected semicolons, pipe characters, or command substitution syntax that would indicate attempted or successful injection.
• Restrict web interface access: Cacti’s web interface should never be reachable from the public internet. Bind it to internal management networks only, enforce IP allowlists, and require VPN + MFA for administrative access.
• Review SNMP credential exposure: If you suspect your Cacti instance may have been reachable from untrusted networks, rotate all SNMP community strings and credentials stored in Cacti, as well as any device credentials that were accessible from the Cacti host.
• Monitor for follow-on activity: Command injection on a monitoring server is often a stepping stone to lateral movement. Monitor the Cacti host and its management targets for anomalous authentication events and unexpected outbound connections.

References

• GitHub Fix Commit — Cacti escape_command() patch (4c09efa)
• NVD — CVE-2026-40079
• Cacti — Official Site

Part of the Vulnerability Intelligence series on threat-modeling.com. See the June 26, 2026 Vulnerability Intelligence Report for broader context.