Description
An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. This occurs because user input is not properly sanitized before being passed to system commands, enabling command injection.
Published: 2025-07-03
Score: 8.6 High
EPSS: 71.6% High
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user of Pandora FMS can exploit a command injection flaw in the net_tools.php module. By supplying an unescaped value to the select_ips parameter during network tool operations such as ping, the input is passed directly to system commands, allowing the attacker to execute arbitrary OS commands on the host. This gives the attacker the same privileges as the authenticated user, potentially leading to full control of the affected server, data theft, or further spread within the network.

Affected Systems

Pandora FMS (Artica ST) versions 7.0NG and earlier are impacted. The vulnerability exists in the net_tools.php component that handles ping operations. Administrators should verify the installed version and consider upgrading if it falls within the affected range.

Risk and Exploitability

The CVSS score of 8.6 classifies the flaw as high severity, and an EPSS score of 72% indicates a high probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, but its high exploitation likelihood and remote nature mean that an attacker with valid credentials can readily attack the system. The attack vector is remote over HTTP/HTTPS and requires authentication—an attacker could log in using compromised credentials or stolen session tokens and then trigger the command injection via the network tools interface.

Generated by OpenCVE AI on April 29, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Pandora FMS release that removes the vulnerable net_tools.php functionality or patches the command injection bug
  • If the patch cannot be applied immediately, disable or remove the net_tools module (or the ping feature) for authenticated users, or restrict access to the module via role‑based permissions
  • Review and tighten role‑based access controls so that only trusted administrators can access network diagnostic tools; consider treating network tools as privileged functions

Generated by OpenCVE AI on April 29, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19903 An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. This occurs because user input is not properly sanitized before being passed to system commands, enabling command injection.
History

Wed, 19 Nov 2025 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Artica
Artica pandora Fms
CPEs cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*
Vendors & Products Artica
Artica pandora Fms

Tue, 16 Sep 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Pandorafms
Pandorafms pandora Fms
CPEs cpe:2.3:a:pandorafms:pandora_fms:*:*:*:*:*:*:*:*
Vendors & Products Pandorafms
Pandorafms pandora Fms
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 07 Jul 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 03 Jul 2025 20:00:00 +0000

Type Values Removed Values Added
Description An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. This occurs because user input is not properly sanitized before being passed to system commands, enabling command injection.
Title Pandora FMS Authenticated Remote Code Execution via Ping Module
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Artica Pandora Fms
Pandora Fms Pandora Fms
Pandorafms Pandora Fms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:23.629Z

Reserved: 2025-04-15T19:15:22.551Z

Link: CVE-2025-34088

cve-icon Vulnrichment

Updated: 2025-07-07T19:06:17.226Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-03T20:15:23.007

Modified: 2025-09-16T19:44:41.263

Link: CVE-2025-34088

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:15:16Z

Weaknesses