Cyber Resilience

CVE-2022-1648

Medium

Published: 26 July 2022

Published
26 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.7 CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
EPSS Score 0.0278 86.4th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-1648 is a medium-severity Relative Path Traversal (CWE-23) vulnerability in Pandorafms Pandora Fms. Its CVSS base score is 5.7 (Medium).

Operationally, ranked in the top 13.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Pandora FMS versions 7.0NG.760 and below contain a relative path traversal flaw in the File Manager component, identified as CVE-2022-1648 and also categorized under CWE-23 and CWE-22. The defect allows a privileged user to upload a .php file outside the intended images directory, circumventing the restriction that prevents execution of uploaded PHP files and potentially enabling code to run with the privileges of the application.

An attacker who already possesses high privileges, physical access to the system, and the ability to perform user interaction can leverage the path traversal to upload and trigger arbitrary PHP code, achieving remote code execution. The vulnerability is rated 5.7 under CVSS 3.1 with the vector AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L.

Vendor and coordinated advisories published by Pandora FMS and INCIBE describe the issue and are available at the listed reference URLs. The associated EPSS score rose from a low baseline to a peak of 0.1086 on 2025-01-22 before receding to the current value of 0.0278.

EU & UK References

Vulnerability details

Pandora FMS v7.0NG.760 and below allows a relative path traversal in File Manager where a privileged user could upload a .php file outside the intended images directory which is restricted to execute the .php file. The impact could lead to…

more

a Remote Code Execution with running application privilege.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pandorafms
pandora fms
≤ 7.0_ng_760

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References