A critical command injection vulnerability was discovered in the Cacti IT monitoring solution, allowing unauthenticated attackers to run arbitrary commands under the same user as the web server process is running. The vulnerability affects Cacti version 1.2.22 and below and has a CVSS score of 9.8. An authentication bypass vulnerability was also found, which allows attackers to access remote_agent.php without authorization. Both vulnerabilities were mitigated with patches that ensure proper validation and escaping of user input. The discovery highlights the importance of security on all layers and emphasizes the need for security considerations to be integrated into development practices.