This vulnerability arises in the escape_command() function in Cacti’s rrd.php module, which currently acts as a no‑op and returns user‑supplied command strings unchanged. The command line constructed by rrdtool_function_graph() is subsequently passed to shell_exec(), the effect of which is a classic OS command injection (CWE‑78) that is further enabled by the handling of graph template text_format values (CWE‑88). An attacker who can alter these template fields can inject arbitrary shell commands that the web application runs with the web server’s privileges. The resulting impact is full compromise of the host running Cacti, as the attacker gains the capabilities of the web server process.

Cacti versions 1.2.30 and earlier are affected. The issue is fixed in version 1.2.31 and later. This includes the Cacti performance and fault management framework used in many network monitoring deployments.

The CVSS score of 8.6 indicates a high severity exploit. No EPSS score is available, but the combination of a shell_exec call and the lack of any sanitization makes exploitation likely, especially for users that have permission to modify graph templates or for remote attackers who can create or update templates via the web interface. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that successful exploitation would allow an authenticated or possibly remote attacker to execute arbitrary commands on the host, compromising confidentiality, integrity, and availability.