CVE-2022-1648
Published: 26 July 2022
Summary
CVE-2022-1648 is a medium-severity Relative Path Traversal (CWE-23) vulnerability in Pandorafms Pandora Fms. Its CVSS base score is 5.7 (Medium).
Operationally, ranked in the top 13.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Pandora FMS versions 7.0NG.760 and below contain a relative path traversal flaw in the File Manager component, identified as CVE-2022-1648 and also categorized under CWE-23 and CWE-22. The defect allows a privileged user to upload a .php file outside the intended images directory, circumventing the restriction that prevents execution of uploaded PHP files and potentially enabling code to run with the privileges of the application.
An attacker who already possesses high privileges, physical access to the system, and the ability to perform user interaction can leverage the path traversal to upload and trigger arbitrary PHP code, achieving remote code execution. The vulnerability is rated 5.7 under CVSS 3.1 with the vector AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L.
Vendor and coordinated advisories published by Pandora FMS and INCIBE describe the issue and are available at the listed reference URLs. The associated EPSS score rose from a low baseline to a peak of 0.1086 on 2025-01-22 before receding to the current value of 0.0278.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-24935
- 🇪🇸 INCIBE: www.incibe.es
Vulnerability details
Pandora FMS v7.0NG.760 and below allows a relative path traversal in File Manager where a privileged user could upload a .php file outside the intended images directory which is restricted to execute the .php file. The impact could lead to…
more
a Remote Code Execution with running application privilege.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.