Cacti (software)

Ian Berry started the Cacti project on September 2, 2001, while working for a small ISP during high school.^[4][8] His aim was "to offer more ease of use than RRDtool and more flexibility than MRTG".^[4]

Version 0.8.6, released on September 13, 2004, attracted additional developers and brought improvements in speed and scalability.^[4][9] Version 0.8.7 followed in October 2007.^[10] A 2012 roadmap scheduled version 1.0.0 for the first quarter of 2013, but team member availability issues led to a development hiatus. Between 2012 and 2017, The Cacti Group released six point releases of the 0.8.8 series, limited to bug fixes and security patches.

The Cacti Group reorganized in early 2015 to resume work on version 1.0, which was released in January 2017.^[11] This release added multiple data collectors, user group permissions, multiple polling intervals, and site support. Version 1.2.0, released in January 2019, continued the 1.x series.^[12]

The 1.2.x branch has received regular point releases since 2019. Version 1.2.23, released in January 2023, patched a critical unauthenticated remote code execution vulnerability (see Security).^[13] Version 1.2.27 (May 2024) addressed a batch of twelve security advisories.^[14] As of March 2025, the current stable release is version 1.2.30.^[15]

Cacti uses a plugin architecture that extends the application beyond graphing into fault management, configuration management, and log analysis.^[6] Plugins hook into the Cacti framework through a registration API and can add pages, tabs, settings, and poller tasks.

The Cacti Group maintains several official plugins on GitHub:^[3]

• Thold -- threshold-based alerting with email, syslog, and SNMP trap notifications
• Syslog -- receives and stores syslog messages, with alert rules and message forwarding
• MacTrack -- MAC address and switch port tracking across network infrastructure
• Monitor -- real-time device status dashboard with up/down/recovering indicators
• Audit -- logs configuration changes made through the web interface
• Flowview -- NetFlow, sFlow, and IPFIX flow data collection and reporting
• Maint -- scheduled maintenance windows that suppress alerts during planned downtime
• Routerconfigs -- automated backup of switch and router configurations via TFTP, SSH, and Telnet
• WebSeer -- website and URL availability monitoring with response time tracking
• Intropage -- customizable dashboard landing page with system status panels
• CLog -- Cacti log viewer with filtering and tail functionality
• GExport -- automated export of graphs to static HTML pages or remote servers
• HMib -- host-level monitoring via the Host Resources MIB (CPU, memory, disk, processes)
• MikroTik -- polling and graphing for MikroTik RouterOS devices
• WeatherMap -- network topology visualization with traffic overlays

Third-party plugins are also available from community developers. The plugin architecture was introduced in version 0.8.6 and was substantially reworked for the 1.0 release.

Cacti is a PHP web application that uses MySQL or MariaDB for configuration storage and RRDtool for time-series data. The system operates on a poller cycle: at configured intervals, typically five minutes, a data collector queries monitored devices and feeds the results to RRDtool for storage. The web interface generates graphs on demand by reading from RRDtool databases.

The data model is template-driven. Data templates define what to collect (OIDs, scripts), graph templates define how to visualize collected data, and device templates associate a set of graph and data templates with a type of monitored equipment. This separation allows a single template change to propagate across all devices of that type.

In December 2022, SonarSource disclosed CVE-CVE-2022-46169, an unauthenticated remote code execution vulnerability in Cacti's remote_agent.php endpoint. The flaw combined an authentication bypass with a command injection, allowing an unauthenticated attacker to execute arbitrary commands on the host. The National Vulnerability Database assigned it a CVSS score of 9.8 (Critical).^[19][20] The Cacti Group patched the issue in version 1.2.23.

By January 2023, the Shadowserver Foundation observed active exploitation in the wild, with attackers deploying Mirai botnet malware and IRC-based botnets on compromised hosts.^[21] Scanning identified over 1,600 internet-facing Cacti instances that remained unpatched.^[21] In February 2023, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-46169 to its Known Exploited Vulnerabilities catalog.^[22] Exploitation continued through March 2023, with additional botnet campaigns (ShellBot, Moobot) targeting unpatched systems alongside a Realtek SDK vulnerability.^[23]

Subsequent releases have addressed additional vulnerabilities. In May 2024, version 1.2.27 patched twelve security issues, including CVE-CVE-2024-25641 (arbitrary file write, CVSS 9.1) and CVE-CVE-2024-29895 (unauthenticated command injection, CVSS 10.0, affecting the 1.3.x development branch).^[14] In January 2025, version 1.2.29 patched CVE-CVE-2025-22604, an authenticated remote code execution flaw via multi-line SNMP responses.^[15]

InfoWorld in 2006 described Cacti as a strong first step for organizations adopting network monitoring, noting its accessible interface relative to configuring RRDtool directly.^[24] Linux.com and Computer Weekly covered Cacti as a practical open-source option for network device monitoring in the mid-2000s.^[25][26] Network World included Cacti among recommended free tools for network engineers in 2022,^[27] and Opensource.com listed it among the top five open-source monitoring tools in 2019.^[28]

• Net-SNMP
• Simple Network Management Protocol
• RRDtool, the underlying data storage tool upon which Cacti is built
• MRTG, the multi-router traffic grapher that preceded RRDtool
• Comparison of network monitoring systems